[jira] [Resolved] (SOLR-13114) CVE-2018-8009 Threat Level 7 Against Solr v7.6. org.apache.hadoop : hadoop-common : 2.7.4. Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability

Cassandra Targett (JIRA) Fri, 04 Jan 2019 13:05:07 -0800


     [ 
https://issues.apache.org/jira/browse/SOLR-13114?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Cassandra Targett resolved SOLR-13114.
--------------------------------------
    Resolution: Invalid

The vulnerability reported by the scanner is a false positive. It is not 
possible to exploit the vulnerability in this dependency in Solr.

We have created a page that includes this and several other dependencies that 
are flagged and explains how they are not true vulnerabilities for Solr: 
https://wiki.apache.org/solr/SolrSecurity#Solr_and_Vulnerability_Scanning_Tools.
 This .jar is listed there.

If you had discovered a real vulnerability, the ASF has created guidelines for 
how to report it, detailed here: https://www.apache.org/security/. Ideally, a 
report is sent to secur...@apache.org first, but if a JIRA is created first 
instead, you are encouraged to mark the issue as private so attack vectors are 
not exposed to the general public before they can be mitigated by the community 
in the form of patches or new releases.

> CVE-2018-8009  Threat Level 7 Against Solr v7.6.  org.apache.hadoop : 
> hadoop-common : 2.7.4. Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 
> 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable 
> via the zip slip vulnerability
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SOLR-13114
>                 URL: https://issues.apache.org/jira/browse/SOLR-13114
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 7.6
>         Environment: RedHat Linux.  May run from RHEL versions 5, 6 or 7 but 
> this issue is from Sonatype component scan and should be independent of Linux 
> platform version.
>            Reporter: RobertHathaway
>            Priority: Blocker
>
> We can't move to Solr 7 without fixing this issue flagged by Sonatype scan Of 
> Solr - 7.6.0 Build,
> Using Scanner 1.56.0-01
> Threat Level 7 Against Solr v7.6.  org.apache.hadoop : hadoop-common : 2.7.4
> Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 
> 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip 
> vulnerability in places that accept a zip file. 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Resolved] (SOLR-13114) CVE-2018-8009 Threat Level 7 Against Solr v7.6. org.apache.hadoop : hadoop-common : 2.7.4. Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability

Reply via email to