Please consult https://solr.apache.org/security.html as well as https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools for latest updates on CVEs in Solr's dependencies. Quoting
> Solr uses commons-text directly (StringEscapeUtils.escapeEcmaScript) in > LoadAdminUiServlet that is not vulnerable. Solr also has a "hadoop-auth" > module that uses Apache Hadoop which uses commons-text through > commons-configuration2. For Solr, the concern is limited to loading Hadoop > configuration files that would only ever be provided by trusted > administrators, not externally (untrusted). Jan > 16. nov. 2022 kl. 04:33 skrev Arwa Daqqaq <[email protected]>: > > Hello team, > > I was reading about the commons-text vulnerability, but I could not assure > the recommended action by SOLR regarding this issue, I have read that version > 1.10 does not have this security issue, but is there a patch for SOLR or is > SOLR not affected by it, please advise. > Currently I have SOLR 8.11 is it better to upgrade to version 9 or there is > remedy or no issue for version 8.11 ? > > This is what I found on Aptech page: > On 2022-10-13, the Apache Commons Text > <https://commons.apache.org/proper/commons-text> team disclosed > CVE-2022-42889 <https://www.cve.org/CVERecord?id=CVE-2022-42889>. Key > takeaways: > > If you rely on software that uses a version of commons-text prior to 1.10.0, > you are likely still not vulnerable: you are only affected when this software > uses the StringSubstitutor API without properly sanitizing any untrusted > input. > If your own software uses commons-text, double-check whether it uses the > StringSubstitutor API without properly sanitizing any untrusted input. If so, > an update to 1.10.0 could be a quick workaround, but the recommended solution > is to also properly validate and sanitize any untrusted input. > Apache Commons Text is a low-level library for performing various text > operations, such as escaping, calculating string differences, and > substituting placeholders in the text with values looked up through > interpolators. When using the string substitution feature, some of the > available interpolators can trigger network access or code execution. This is > intended, but it also means an application that includes user input in the > string passed to the substitution without properly sanitizing it would allow > an attacker to trigger those interpolators. > > For that reason the Apache Commons Text team have decided to update the > configuration to be more "secure by default", so that the impact of a failure > to validate inputs is mitigated and will not give an attacker access to these > interpolators. However, it is still recommended that users treat untrusted > input with care. > > From URL: Time-Consuming Remediation: Assessing the Impact of Text4Shell | > eSecurityPlanet > <https://www.esecurityplanet.com/threats/text4shell-vulnerability/> > > Thanks!! > > <http://www.tn.gov/finance> > Arwa Daqqaq, CEDA | Business Intelligence Specialist > Center for Enterprise Data & Analytics (CEDA) > Enterprise Business Intelligence > Supporting the Department of Finance & Administration – Strategic Technology > Solutions (STS) > 901 Rep. John Lewis Way North, Nashville, TN 37243 > Office: 615-741-2404 | Mobile: 615-424-8221 > [email protected] <mailto:[email protected]> > > <https://www.facebook.com/financeandadministration/?__tn__=%2Cd%2CP-R&eid=ARAetgzmE21v1kd0uEZ9D-EGr3MvDUsmse6nSFu6vgH6nrbDq_TgXG9gPCncSN2T1mPN6J2zH1jsbt-l> > <https://twitter.com/TNDeptofFandA?s=17> > <https://www.pinterest.com/ParTNers4Health/> > <https://www.youtube.com/channel/UCQh6mzV5_N_jYzZD94GLc6w> > <https://www.linkedin.com/company/tn-dept-of-finance-and-administration/> > <https://stateoftennessee.formstack.com/forms/sts_howsmyservice>
