Our TRM team (Technology Risk Management) has provided us with the attached
vulnerabilities analysis for Solr 8.4.1, (security issues extracted below.)
Has anyone out there in the Solr community done anything to document
workarounds or mitigations for any of these identified vulnerabilities in Solr
8.4.1? Does anyone know if work to address these issues is happening for
subsequent releases?
Any and all comments will be greatly appreciated!
>From their analysis:
Security Issues
Threat Level Problem Code Component
Status
9 sonatype-2019-0115 jQuery 1.7.1
Open
sonatype-2019-0115 com.carrotsearch.randomizedtesting : junit4-ant : 2.7.2
Open
CVE-2015-1832<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1832>
org.apache.derby : derby : 10.9.1.0 Open
CVE-2015-1832<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1832>
org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
CVE-2017-1000190<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000190>
org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
sonatype-2019-0115 org.ikasan : ikasan-solr-distribution : zip : 3.0.0
Open
sonatype-2019-0494 org.ikasan : ikasan-solr-distribution : zip : 3.0.0
Open
8
CVE-2019-10088<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10088>
org.apache.tika : tika-core : 1.19.1
Open
CVE-2019-10088<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10088>
org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
7
CVE-2012-0881<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881>
apache-xerces : xercesImpl : 2.9.1 Open
CVE-2013-4002 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002>
apache-xerces : xercesImpl : 2.9.1 Open
CVE-2019-14262<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14262>
com.drewnoakes : metadata-extractor : 2.11.0 Open
CVE-2019-12402<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402>
org.apache.commons : commons-compress : 1.18 Open
CVE-2019-10094<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10094>
org.apache.tika : tika-core : 1.19.1
Open
CVE-2012-0881 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881>
org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
CVE-2013-4002 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002>
org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
CVE-2014-0114 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114>
org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
CVE-2019-10094<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10094>
org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
CVE-2019-12086<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086>
org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
CVE-2019-12402<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402>
org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
CVE-2019-14262<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14262>
org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
CVE-2019-17558<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17558>
org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
6 sonatype-2014-0026 jQuery 1.7.1
Open
sonatype-2014-0026 com.carrotsearch.randomizedtesting : junit4-ant : 2.7.2
Open
sonatype-2018-0330 org.apache.ant : ant : 1.8.2
Open
CVE-2018-17197<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17197>
org.apache.tika : tika-core : 1.19.1
Open
CVE-2018-17197<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17197>
org.apache.tika : tika-parsers : 1.19.1 Open
CVE-2019-10093 org.apache.tika : tika-parsers : 1.19.1
Open
sonatype-2018-0469 org.apache.zookeeper : zookeeper : 3.5.5
Open
CVE-2018-17197<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17197>
org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
CVE-2019-10093<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10093>
org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
sonatype-2014-0026 org.ikasan : ikasan-solr-distribution : zip : 3.0.0
Open
sonatype-2018-0330 org.ikasan : ikasan-solr-distribution : zip : 3.0.0
Open
5 CVE-2009-2625
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625>
apache-xerces : xercesImpl : 2.9.1 Open
sonatype-2017-0348 apache-xerces : xercesImpl : 2.9.1
Open
sonatype-2012-0050 commons-codec : commons-codec : 1.11
Open
sonatype-2014-0173 commons-fileupload : commons-fileupload : 1.3.3
Open
sonatype-2020-0026 io.netty : netty-handler : 4.1.29.Final
Open
CVE-2012-2098 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098>
org.apache.ant : ant : 1.8.2
Open
CVE-2019-12415<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12415>
org.apache.poi : poi-ooxml : 4.0.0 Open
CVE-2018-8010 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8010>
org.apache.solr : solr-core : 8.4.1
Open
CVE-2009-2625 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625>
org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
CVE-2012-2098 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098>
org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
CVE-2018-8010 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8010>
org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
CVE-2019-12415<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12415>
org.ikasan : ikasan-solr-distribution : zip : 3.0.0 Open
sonatype-2012-0050 org.ikasan : ikasan-solr-distribution : zip : 3.0.0
Open
sonatype-2014-0173 org.ikasan : ikasan-solr-distribution : zip : 3.0.0
Open
sonatype-2017-0348 org.ikasan : ikasan-solr-distribution : zip : 3.0.0
Open
4 sonatype-2017-0492 com.sun.mail : javax.mail :
1.5.1 Open
sonatype-2017-0492 org.ikasan : ikasan-solr-distribution : zip : 3.0.0
Open
Christopher Ahlberg
Director
Middleware Plat & Foundation
DTCC New York
+1 212 855-3995 | cahlb...@dtcc.com<mailto:n...@dtcc.com>
[cid:image002.png@01D5FEA1.80E1F760]
Visit us at www.dtcc.com<http://www.dtcc.com> or connect with us on
LinkedIn<https://www.linkedin.com/company/6915?trk=tyah&trkInfo=clickedVertical%3Acompany%2CclickedEntityId%3A6915%2Cidx%3A4-2-11%2CtarId%3A1469742786610%2Ctas%3Adtcc>,
Twitter<https://twitter.com/The_DTCC>,
Facebook<https://www.facebook.com/thedtcc> and
YouTube<https://www.youtube.com/channel/UCi4dnJzd498IvBqP3wnUqpA>.
To learn about career opportunities at DTCC, please visit
careers.dtcc.com<http://careers.dtcc.com/>.
DTCC DISCLAIMER: This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error, please notify us
immediately and delete the email and any attachments from your system. The
recipient should check this email and any attachments for the presence of
viruses. The company accepts no liability for any damage caused by any virus
transmitted by this email.
