Please see https://wiki.apache.org/solr/SolrSecurity#Solr_and_Vulnerability_Scanning_Tools <https://wiki.apache.org/solr/SolrSecurity#Solr_and_Vulnerability_Scanning_Tools> for a list of CVEs that do NOT affect Solr.
As that page states, if you believe that one of the CVEs are really exploitable in Solr, then please attempt to describe why you believe Solr is vulnerable, and send a report to secur...@apache.org <mailto:secur...@apache.org> and/or file a private JIRA issue. Do not explain a new vulnerability on open mailing lists. -- Jan Høydahl, search solution architect Cominvent AS - www.cominvent.com > 24. jan. 2019 kl. 13:10 skrev Andreas Hubold <andreas.hub...@coremedia.com>: > > Hi, > > in our project, we're checking JAR dependencies with the OWASP dependency > check [1] for security issues for which CVEs have been reported. > > There are CVEs for some of Solr's third-party dependencies in version 7.6.0, > and I wonder if you have plans to update these to unaffected versions. I > don't know if these CVEs affect Solr, but event if they don't, IMHO it would > be good to update them so that users don't need to analyze the reports in > detail. > > This is what I found for solr-core Maven dependencies: > > * protobuf-java-3.1.0.jar https://nvd.nist.gov/vuln/detail/CVE-2015-5237 > (fixed since protobuf 3.4) > * dom4j-1.6.1.jar https://nvd.nist.gov/vuln/detail/CVE-2018-1000632 (fixed in > dom4j 2.1.1) > * hadoop-hdfs-2.7.4.jar https://nvd.nist.gov/vuln/detail/CVE-2017-15718 > (fixed in hadoop 2.7.5) > > What do you think? > > Thanks, > Andreas > > [1] https://www.owasp.org/index.php/OWASP_Dependency_Check >
