Hi Colvin, I do "trivy image solr:9.3.0" and receive this:
com.google.guava:guava (hadoop-shaded-guava-1.1.1.jar) com.google.guava:guava (hadoop-client-runtime-3.3.5.jar) So, it's shaded via hadoop. But I was just about to answer my own request anyhow: I checked hadoop source for release 3.3.5 and could not find any mention of the problematic class "FileBackedOutputStream". So, maybe this is not a problem at all? Stefan From: Colvin Cowie <colvin.cowie....@gmail.com> Date: Monday, 21. August 2023 at 13:19 To: users@solr.apache.org <users@solr.apache.org> Subject: Re: HIGH CVE-2023-2976 in Solr 9.3.0 [Sie erhalten nicht häufig E-Mails von colvin.cowie....@gmail.com. Weitere Informationen, warum dies wichtig ist, finden Sie unter https://aka.ms/LearnAboutSenderIdentification ] Hello. Solr 9.3.0 itself shipped with guava-32.0.1-jre. Where exactly are you seeing the old version? On Mon, 21 Aug 2023 at 11:59, Pieper, Stefan <stefan.pie...@coremedia.com.invalid> wrote: > Hi there, > > > > a trivy image scan on solr:9.3.0 reveals CVE-2023-2976, rated HIGH, for > com.google.guava:guava: 30.1.1-jre. I fail to find any information on > relevance of this to Solr or Hadoop which introduces the dependency. > > > > Can you provide information on the severity of this CVE in context of Solr? > > > > Thanks! > > Stefan > > > > -- > > Stefan Pieper > Senior Software Engineer > > [image: A picture containing graphics, graphic design, font, logo > Description automatically generated] <https://www.coremedia.com/> > > > > *Elevate Experience. Drive Impact.* > > > E-Mail: stefan.pie...@coremedia.com > > *www.coremedia.com* <https://www.coremedia.com/> > > [image: A pink and red letter on a black background Description > automatically generated with low confidence] > <https://www.linkedin.com/company/coremedia-corp/>[image: A logo of a > camera Description automatically generated with low confidence] > <https://www.instagram.com/coremediacc/>[image: A picture containing > colorfulness, screenshot, graphics, red Description automatically generated] > <https://www.youtube.com/channel/UC3u29ExYv1263SfUBWnsgdQ>[image: A pink > bird with wings Description automatically generated with low confidence] > <https://twitter.com/coremedia?lang=en> > > [image: signature_3139397413] > <https://resources.ecovadis.com/library/ecovadis-medals-recognizing-our-customers-achievements> > > > -------------------------------------------------------------------------------- > > CoreMedia GmbH > > Rödingsmarkt 9, 20459 Hamburg, Germany > > Managing Director: Sören Stamer > > Commercial Register: Amtsgericht Hamburg, HRB 162480 > > > -------------------------------------------------------------------------------- > > >
