Versions Compared

Old Version 37

changes.mady.by.user David Smiley

Saved on

compared with

New Version 38

changes.mady.by.user Cassandra Targett

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Solr Versions

Jar or Path

Related CVEs

Date Added

Status & Notes

< 9.1commons-configuration2-2.7.jar2022-338903398020 Oct 2022Solr uses commons-configuration2 for "hadoop-auth" only (for Kerberos).  It is only used for loading Hadoop configuration files that would only ever be provided by trusted administrators, not externally (untrusted).
< 9.1commons-text-1.9.jar2022-4288920 Oct 2022Solr uses commons-text directly (StringEscapeUtils.escapeEcmaScript) in LoadAdminUiServlet that is not vulnerable. Solr also has a "hadoop-auth" module that uses Apache Hadoop which uses commons-text through commons-configuration2. For Solr, the concern is limited to loading Hadoop configuration files that would only ever be provided by trusted administrators, not externally (untrusted).
< 9.1hadoop-common-3.2.2.jar2022-2516824 Oct 2022The vulnerable code won't be used by Solr because Solr only is only using HDFS as a client.
7.4-8.11.1log4j-core-2.14.1.jar and log4j-core-2.16.0.jar2021-448327 Jan 2021Solr's default log configuration doesn't use JDBCAppender and we don't imagine a user would want to use it or other obscure appenders.
7.4-8.11.1log4j-core-2.14.1.jar and log4j-core-2.16.0.jar2021-45105
2021-45046		21 Dec 2021The MDC data used by Solr are for the collection, shard, replica, core and node names, and a potential trace id, which are all sanitized.  Furthermore, Solr's default log configuration doesn't use double-dollar-sign and we don't imagine a user would want to do that.
8.1.0- todayavatica-core-1.13.0.jar and calcite-core-1.18.0.jar2020-1395520 Nov 2020Solr's SQL adapter does not use the vulnerable class "HttpUtils".  Calcite only used it to talk to Druid or Splunk.

5.4.0-today

carrot2-guava-18.0.jar

2018-10237

31 Dec 2018

Only used with the Carrot2 clustering engine.

4.9.0-7.5.0

commons-beanutils-1.8.3.jar

2014-0114

6 Jun 2018

This is only used at compile time and it cannot be used to attack Solr. Since it is generally unnecessary, the dependency has been removed as of 7.5.0. See SOLR-12617.

8.0.0-8.3.0commons-beanutils-1.9.3.jar 2019-1008621 Nov 2019While commons-beanutils was removed in 7.5, it was added back in 8.0 in error and removed again in 8.3. The vulnerable class was not used in any Solr code path. This jar remains a dependency of both Velocity and hadoop-common, but Solr does not use it in our implementations.

4.6.0-today

commons-compress (only as part of Ant 1.8.2)

2012-2098, 2018-1324, 2018-11771

31 Dec 2018

Only used in test framework and at build time.

4.6.0-today

derby-10.9.1.0.jar


3 Nov 2018

Used only in DataImportHandler tests and example implementation, which should not be used in production.

4.6.0-today

dom4j-1.6.1.jar

2018-1000632

31 Dec 2018

Only used in Solr tests.

4.6.0-today

guava-*.jar

2018-10237, etc.

31 Dec 2018

Only used in tests.

6.6.1-7.6.0

hadoop-auth-2.7.4.jar, hadoop-hdfs-2.7.4.jar (all Hadoop)

2017-15718

6 Jun 2018

Does not impact Solr because Solr uses Hadoop as a client library.

6.0.0-7.5.0

icu4j-56.1.jar, icu4j-59.1.jar

2017-14952

6 Jun 2018

Issue applies only to the C++ release of ICU and not ICU4J, which is what Lucene uses. ICU4J is at v63.2 as of Lucene/Solr 7.6.0

4.7.0-today

jackson-databind-*.jar

2017-15095, 2017-17485, 2017-7525, 2018-5968, 2018-7489, 2019-12086, 2019-12384, 2018-12814, 2019-14379, 2019-14439, 2020-35490, 2020-35491, 2021-20190

2019-14540, 2019-16335

6 Jun 2018

These CVEs, and most of the known jackson-databind CVEs since 2017, are all related to problematic “gadgets” that could be exploited during deserialization of untrusted data. The Jackson developers described 4 conditions that must be met in order for a problematic gadget to be exploited. See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.

Solr’s use of jackson-databind does not meet 1 of the 4 conditions described which makes these CVEs unexploitable.

The specific condition that Solr does not meet is the 3rd one: “Enable polymorphic type handling…” Solr does not include any polymorphic type handling, and Solr does not configure jackson-databind de/serialization to expect or include class names in serialized JSON.

Two CVEs, 2019-14540 & 2019-16335, are related to HikariConfig and HikariDataSource classes, neither of which are used in Solr's code base.

7.7.0-8.2jetty-9.4.142019-10241, 2019-1024718 Oct 2019Solr upgraded to Jetty 9.4.19 for the 8.2 release. Additionally, the path to exploit these vulnerabilities was fixed in 8.1 and 7.7.2. Earlier versions can manually patch their configurations as described in SOLR-13409.
7.3.0-8.8.0jetty-9.4.0 to 9.4.342020-2721818 Feb 2021Only exploitable through use of Jetty's GzipHandler, which is only implemented in Embedded Solr Server.
7.3.0-presentjetty-9.4.6 to 9.4.36 2020-272231 Jun 2021Only exploitable if Solr's webapp directory is deployed as a symlink, which is not Solr's default.

to present

jdom-*.jar 2021-3381319 Aug 2021JDOM is only used in Solr Cell, which should not be used in production which makes the vulnerability unexploitable. It is a dependency of Apache Tika, which has analyzed the issue and determined the vulnerability is limited to two libraries not commonly used in search applications, see TIKA-3488 for details. Since Tika should be used outside of Solr, use a version of Tika which updates the affected libraries if concerned about exposure to this issue.

4.6.0-7.6.0

junit-4.10.jar

2018-1000056

31 Dec 2018

JUnit only used in tests; CVE only refers to a Jenkins plugin not used by Solr.

7.3.1

lucene-analyzers-icu-7.3.1.jar

2014-7940, 2016-6293, 2016-7415, 2017-14952, 2017-17484, 2017-7867, 2017-7868

6 Jun 2018

All of these issues apply to the C++ release of ICU and not ICU4J, which is what Lucene uses.

8.2-8.3netty-all-4.1.29.Final.jar 2019-1686921 Nov 2019This is not included in Solr but is a dependency of ZooKeeper 3.5.5. The version was upgraded in ZooKeeper 3.5.6, included with Solr 8.3. The specific classes mentioned in the CVE are not used in Solr (nor in ZooKeeper as far as the Solr community can determine).

5.2.0-today

org.restlet-2.3.0.jar

2017-14868, 2017-14949

31 Dec 2018

Solr should not be exposed outside a firewall where bad actors can send HTTP requests.

These two CVEs specifically involve classes (SimpleXMLProvider and XmlRepresentation, respectively) that Solr does not use in any code path.

6.5.0-today

protobuf-java-3.1.0.jar

2015-5237

3 Nov 2018

Dependency for Hadoop and Calcite. ??

5.4.0-7.7.2, 8.0-8.3

simple-xml-2.7.1.jar

2018-1471

3 Jan 2019

Dependency of Carrot2 and used during compilation, not at runtime (see SOLR-769).

This .jar was replaced in Solr 8.3 and backported to 7.7.3 (see SOLR-13779).

4.x-today

slf4j-api-1.7.24.jar, jcl-over-slf4j-1.7.24.jar, jul-to-slf4j-1.7.24.jar

2018-8088

6 Feb 2019

The reported CVE impacts org.slf4j.ext.EventData, which is not used in Solr.

7.3.1-7.5.0

tika-core.1.17.jar (and earlier)

2018-1335

6 Jun 2018

Solr does not run tika-server, so this is not a problem.

7.3.1-today

tika-core.*.jar (all versions)

various

6 Jun 2018

All Tika issues that could be Solr vulnerabilities would only be exploitable if untrusted files are indexed with SolrCell. This is not recommended in production systems, so Solr does not consider these valid CVEs for Solr.

6.6.2-today

velocity-tools-2.0.jar contains Apache Struts 2.0.0

link to CVEs

3 Nov 2018

Solr does not ship a Struts jar. This is a transitive POM listing and not included with Solr (see comment in SOLR-2849).

5.5.5, 6.2.0-today

vorbis-java-tika-0.8.jar

2016-6809, 2018-1335, 2018-1338, 2018-1339

6 Jun 2018

See

https://github.com/Gagravarr/VorbisJava/issues/30

; reported CVEs are not related to OggVorbis at all.

~2.9-today

xercesImpl-2.9.1.jar

2012-0881

6 Jun 2018

Only used in Lucene Benchmarks and Solr tests.

...