[jira] [Comment Edited] (SOLR-17498) Apache Solr 8.11.3 - CVE-2023-44487

Tue, 15 Oct 2024 09:17:04 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-17498?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17889742#comment-17889742
 ] 

Gus Heck edited comment on SOLR-17498 at 10/15/24 4:16 PM:
-----------------------------------------------------------

Solr 8.11.3 upgraded to jetty 9.4.53.v20231009  which fixes this CVE  (see 
[https://solr.apache.org/docs/8_11_4/changes/Changes.html#v8.11.3.other_changes)]

If you have evidence that the most recent 8.x (8.11.4) it is still vulnerable 
please supply it, but please be aware that 8.x is very nearly EOL, and even if 
you can demonstrate this vulnerability, it's unlikely there will be another 8x 
release to provide a fix. Lucene is currently trying to relase 10.x and Solr 
will follow soon.

Upgrading to 9.x is likely your best option if you do find this CVE to still be 
present.

Also please read [https://solr.apache.org/security.html] noting especially the 
very first paragraph :)


was (Author: gus_heck):
Solr 8.11.3 upgraded to jetty 9.4.53.v20231009  which fixes this CVE  (see 
[https://solr.apache.org/docs/8_11_4/changes/Changes.html#v8.11.3.other_changes)]

If you have evidence that the most recent 8.x (8.11.4) it is still vulnerable 
please supply it, but please be aware that 8.x is very nearly EOL, and even if 
you can demonstrate this vulnerability, it's unlikely there will be another 8x 
release to provide a fix. Lucene is currently trying to relase 10.x and Solr 
will follow soon.

Upgrading to 9.x is likely your best option if you do find this CVE to still be 
present.

Also please read [https://solr.apache.org/security.html] noting especially the 
very first line of the very first paragraph :)

> Apache Solr 8.11.3 - CVE-2023-44487
> -----------------------------------
>
>                 Key: SOLR-17498
>                 URL: https://issues.apache.org/jira/browse/SOLR-17498
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 8.11.3
>            Reporter: Nikhil
>            Priority: Critical
>              Labels: security
>             Fix For: 8.11.3
>
>
> The HTTP/2 protocol allows a denial of service (server resource consumption) 
> because request cancellation can reset many streams quickly, as exploited in 
> the wild in August through October 2023.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to