Critical and Severe security vulnerabilities against Solr v7.1. Many of these appear to be from old open source framework versions.
*9* CVE-2017-7525 com.fasterxml.jackson.core : jackson-databind : 2.5.4 Open CVE-2016-1000031 commons-fileupload : commons-fileupload : 1.3.2 Open CVE-2015-1832 org.apache.derby : derby : 10.9.1.0 Open CVE-2017-7525 org.codehaus.jackson : jackson-mapper-asl : 1.9.13 Open CVE-2017-7657 org.eclipse.jetty : jetty-http : 9.3.20.v20170531 Open CVE-2017-7658 org.eclipse.jetty : jetty-http : 9.3.20.v20170531 Open CVE-2017-1000190 org.simpleframework : simple-xml : 2.7.1 Open *7* sonatype-2016-0397 com.fasterxml.jackson.core : jackson-core : 2.5.4 Open sonatype-2017-0355 com.fasterxml.jackson.core : jackson-core : 2.5.4 Open CVE-2014-0114 commons-beanutils : commons-beanutils : 1.8.3 Open CVE-2018-1000632 dom4j : dom4j : 1.6.1 Open CVE-2018-8009 org.apache.hadoop : hadoop-common : 2.7.4 Open CVE-2017-12626 org.apache.poi : poi : 3.17-beta1 Open CVE-2017-12626 org.apache.poi : poi-scratchpad : 3.17-beta1 Open CVE-2018-1308 org.apache.solr : solr-dataimporthandler : 7.1.0 Open CVE-2016-4434 org.apache.tika : tika-core : 1.16 Open CVE-2018-11761 org.apache.tika : tika-core : 1.16 Open CVE-2016-1000338 org.bouncycastle : bcprov-jdk15 : 1.45 Open CVE-2016-1000343 org.bouncycastle : bcprov-jdk15 : 1.45 Open CVE-2018-1000180 org.bouncycastle : bcprov-jdk15 : 1.45 Open CVE-2017-7656 org.eclipse.jetty : jetty-http : 9.3.20.v20170531 Open CVE-2012-0881 xerces : xercesImpl : 2.9.1 Open CVE-2013-4002 xerces : xercesImpl : 2.9.1 Open On Thu, Jan 3, 2019 at 12:15 PM Bob Hathaway <robh32...@gmail.com> wrote: > We want to use SOLR v7 but Sonatype scans past v6.5 show dozens of > critical and severe security issues and dozens of licensing issues. The > critical security violations using Sonatype are inline and are indexed with > codes from the National Vulnerability Database, > > Are there recommended steps for running Solr 7 in secure enterprises > specifically infosec remediation over Sonatype Application Composition > Reports? > > Are there plans to make Solr more secure in v7 or v8? > > I'm new to the Solr User forum and suggests are welcome. > > > Sonatype Application Composition Reports > Of Solr - 7.6.0, Build Scanned On Thu Jan 03 2019 at 14:49:49 > Using Scanner 1.56.0-01 > > [image: image.png] > > [image: image.png] > > [image: image.png] > > Security Issues > Threat Level Problem Code Component Status > 9 CVE-2015-1832 org.apache.derby : derby : 10.9.1.0 Open > CVE-2017-7525 org.codehaus.jackson : jackson-mapper-asl : 1.9.13 Open > CVE-2017-1000 > 190 > org.simpleframework : simple-xml : 2.7.1 Open > 8 CVE-2018-1471 > 8 > com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open > CVE-2018-1471 > 9 > com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open > sonatype-2017- > 0312 > com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open > 7 CVE-2018-1472 > 0 > com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open > CVE-2018-1472 > 1 > com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open > CVE-2018-1000 > 632 > dom4j : dom4j : 1.6.1 Open > CVE-2018-8009 org.apache.hadoop : hadoop-common : 2.7.4 Open > CVE-2012-0881 xerces : xercesImpl : 2.9.1 Open > CVE-2013-4002 xerces : xercesImpl : 2.9.1 Open > > > License Analysis > License Threat Component Status > MPL-1.1, GPL-2.0+ or > LGPL-2.1+ or MPL-1.1 > com.googlecode.juniversalchardet : juniversalchardet : 1.0.3 Open > Apache-2.0, AFL-2.1 or > GPL-2.0+ > org.ccil.cowan.tagsoup : tagsoup : 1.2.1 Open > Not Declared, Not > Supported > d3 2.9.6 Open > BSD-3-Clause, Adobe com.adobe.xmp : xmpcore : 5.1.3 Open > Apache-2.0, No Source > License > com.cybozu.labs : langdetect : 1.1-20120112 Open > Apache-2.0, No Source > License > com.fasterxml.jackson.core : jackson-annotations : 2.9.6 Open > Apache-2.0, No Source > License > com.fasterxml.jackson.core : jackson-core : 2.9.6 Open > Apache-2.0, No Source > License > com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open > Apache-2.0, No Source > License > com.fasterxml.jackson.dataformat : jackson-dataformat-smile : 2.9.6 Open > Apache-2.0, EPL-1.0, MIT com.googlecode.mp4parser : isoparser : 1.1.22 Open > Not Provided, No Source > License > com.ibm.icu : icu4j : 62.1 Open > Apache-2.0, LGPL-3.0+ com.pff : java-libpst : 0.8.1 Open > Apache-2.0, No Source > License > com.rometools : rome-utils : 1.5.1 Open > CDDL-1.1 or GPL-2.0- > CPE > com.sun.mail : gimap : 1.5.1 Open > CDDL-1.1 or GPL-2.0- > CPE > com.sun.mail : javax.mail : 1.5.1 Open > Not Declared, > Apache-1.1, Sun-IP > dom4j : dom4j : 1.6.1 Open > MIT, No Source License info.ganglia.gmetric4j : gmetric4j : 1.0.7 Open > Apache-2.0, No Source > License > io.dropwizard.metrics : metrics-ganglia : 3.2.6 Open > Apache-2.0, No Source > License > io.dropwizard.metrics : metrics-graphite : 3.2.6 Open > Apache-2.0, No Source > License > io.dropwizard.metrics : metrics-jetty9 : 3.2.6 Open > Apache-2.0, No Source > License > io.dropwizard.metrics : metrics-jvm : 3.2.6 Open > Apache-2.0, No Source > License > io.prometheus : simpleclient_common : 0.2.0 Open > Apache-2.0, No Source > License > io.prometheus : simpleclient_httpserver : 0.2.0 Open > CDDL-1.0, CDDL-1.1 or > GPL-2.0-CPE > javax.activation : activation : 1.1.1 Open > CDDL-1.0 or GPL-2.0- > CPE, Apache-2.0, > CDDL-1.1 or GPL-2.0- > CPE > javax.servlet >
