Hi, Please see the security page https://solr.apache.org/security.html#cve-reports-for-apache-solr-dependencies which lists CVEs that are vulnerable.
CVE-2022-42889 is listed as "not affected" > Solr uses commons-text directly (StringEscapeUtils.escapeEcmaScript) in > LoadAdminUiServlet that is not vulnerable. Solr also has a "hadoop-auth" > module that uses Apache Hadoop which uses commons-text through > commons-configuration2. For Solr, the concern is limited to loading Hadoop > configuration files that would only ever be provided by trusted > administrators, not externally (untrusted). So nothing to worry about. If you cannot go to Solr 9, you should at least upgrade to 8.11.3: https://solr.apache.org/docs/8_11_3/changes/Changes.html Jan > 17. juni 2024 kl. 22:41 skrev Hodder, Rick (Property and Casualty CIO) > <richard.hod...@thehartford.com.INVALID>: > > Hi, > > I am currently using Solr 8.11.1 > > My network operations tech sent me information about CVE-2022-42889 > > NVD - CVE-2022-42889 (nist.gov) > <https://nvd.nist.gov/vuln/detail/CVE-2022-42889> > > Which basically is saying that Apache Commons Text versions 1.5-1.9 have a > vulnerability > 8.11.1 appears to use version 1.0.6 of the dll > > I cant update that dll, right? I would need to use a higher version of SOLR > (I am currently testing 9.4), right? > > Thanks, > > RICK HODDER > Staff Software Engineer > Global Specialty > <https://www.thehartford.com/> > The Hartford > 83 Wooster Heights Rd. | 2nd floor > Danbury, CT, 06810 > W: 475-329-6251 > > Email: richard.hod...@thehartford.com <mailto:richard.hod...@thehartford.com> > www.thehartford.com <https://www.thehartford.com/> > www.facebook.com/thehartford <https://www.facebook.com/thehartford> > twitter.com/thehartford <https://twitter.com/thehartford> > > > > ****************************************************************************************************** > This communication, including attachments, is for the exclusive use of > addressee and may contain proprietary, confidential and/or privileged > information. If you are not the intended recipient, any use, copying, > disclosure, dissemination or distribution is strictly prohibited. If you are > not the intended recipient, please notify the sender immediately by return > e-mail, delete this communication and destroy all copies. > > ******************************************************************************************************
