[jira] [Updated] (OAK-10719) oak-lucene uses lucene version vulnerable to DoS attack

Mon, 25 Mar 2024 08:09:05 -0700 


     [ 
https://issues.apache.org/jira/browse/OAK-10719?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Julian Reschke updated OAK-10719:
---------------------------------
    Description: 
See <https://github.com/apache/lucene/issues/11537>.

Analysis so far:

- oak-lucene uses lucene-core (4.7.2) (see OAK-10716); that version has reached 
EOL a long time ago
- the version is vulnerable to an DoS attack (regexp stack overflow), see 
OAK-10713
- oak-lucene *embeds* and *exports* lucene-core

Work in <https://github.com/reschke/jackrabbit-oak-lucene/tree/lucene-poc>:

- inlined lucene-core as of git tag "releases/lucene-solr/4.7.2" into oak-lucene
- backported fix from 





  was:
See <https://github.com/apache/lucene/issues/11537>.

Analysis so far:




> oak-lucene uses lucene version vulnerable to DoS attack
> -------------------------------------------------------
>
>                 Key: OAK-10719
>                 URL: https://issues.apache.org/jira/browse/OAK-10719
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: lucene
>            Reporter: Julian Reschke
>            Assignee: Julian Reschke
>            Priority: Major
>
> See <https://github.com/apache/lucene/issues/11537>.
> Analysis so far:
> - oak-lucene uses lucene-core (4.7.2) (see OAK-10716); that version has 
> reached EOL a long time ago
> - the version is vulnerable to an DoS attack (regexp stack overflow), see 
> OAK-10713
> - oak-lucene *embeds* and *exports* lucene-core
> Work in <https://github.com/reschke/jackrabbit-oak-lucene/tree/lucene-poc>:
> - inlined lucene-core as of git tag "releases/lucene-solr/4.7.2" into 
> oak-lucene
> - backported fix from 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to