https://lucene.apache.org/solr/security.html
The security page on the Solr website has details about how to report security items. It also has a link to the wiki page with details about some of these that are false positives. Each version of Solr has dependency updates and addresses different dependency CVEs as they are reported and detected. I haven't looked through what was shared specifically but Solr 8.5 which is under vote addresses at least a few dependency upgrades. Kevin Risden On Fri, Mar 20, 2020 at 10:23 AM Ahlberg, Christopher C. <cahlb...@dtcc.com> wrote: > Our TRM team (Technology Risk Management) has provided us with the > attached vulnerabilities analysis for Solr 8.4.1, (security issues > extracted below.) > > > > Has anyone out there in the Solr community done anything to document > workarounds or mitigations for any of these identified vulnerabilities in > Solr 8.4.1? Does anyone know if work to address these issues is happening > for subsequent releases? > > > > Any and all comments will be greatly appreciated! > > > > From their analysis: > > Security Issues > > *Threat Level Problem Code > Component > Status* > > *9 *sonatype-2019-0115 jQuery > 1.7.1 Open > > sonatype-2019-0115 com.carrotsearch.randomizedtesting : junit4-ant : > 2.7.2 Open > > CVE-2015-1832 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1832> > org.apache.derby > : derby : 10.9.1.0 Open > > CVE-2015-1832 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1832> > org.ikasan > : ikasan-solr-distribution : zip : 3.0.0 Open > > CVE-2017-1000190 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000190> > org.ikasan > : ikasan-solr-distribution : zip : 3.0.0 Open > > sonatype-2019-0115 org.ikasan : ikasan-solr-distribution : zip : > 3.0.0 Open > > sonatype-2019-0494 org.ikasan : ikasan-solr-distribution : zip : > 3.0.0 Open > > *8 *CVE-2019-10088 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10088> > org.apache.tika > : tika-core : 1.19.1 Open > > CVE-2019-10088 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10088> > org.ikasan > : ikasan-solr-distribution : zip : 3.0.0 Open > > *7 *CVE-2012-0881 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881> > apache-xerces > : xercesImpl : 2.9.1 Open > > CVE-2013-4002 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002> > apache-xerces > : xercesImpl : 2.9.1 Open > > CVE-2019-14262 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14262> > com.drewnoakes > : metadata-extractor : 2.11.0 Open > > CVE-2019-12402 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402> > org.apache.commons > : commons-compress : 1.18 Open > > CVE-2019-10094 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10094> > org.apache.tika > : tika-core : 1.19.1 Open > > CVE-2012-0881 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881> > org.ikasan > : ikasan-solr-distribution : zip : 3.0.0 Open > > CVE-2013-4002 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002> > org.ikasan > : ikasan-solr-distribution : zip : 3.0.0 Open > > CVE-2014-0114 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114> > org.ikasan > : ikasan-solr-distribution : zip : 3.0.0 Open > > CVE-2019-10094 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10094> > org.ikasan > : ikasan-solr-distribution : zip : 3.0.0 Open > > CVE-2019-12086 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086> > org.ikasan > : ikasan-solr-distribution : zip : 3.0.0 Open > > CVE-2019-12402 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402> > org.ikasan > : ikasan-solr-distribution : zip : 3.0.0 Open > > CVE-2019-14262 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14262> > org.ikasan > : ikasan-solr-distribution : zip : 3.0.0 Open > > CVE-2019-17558 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17558> > org.ikasan > : ikasan-solr-distribution : zip : 3.0.0 Open > > *6 *sonatype-2014-0026 jQuery > 1.7.1 Open > > sonatype-2014-0026 com.carrotsearch.randomizedtesting : junit4-ant : > 2.7.2 Open > > sonatype-2018-0330 org.apache.ant : ant : > 1.8.2 Open > > CVE-2018-17197 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17197> > org.apache.tika > : tika-core : 1.19.1 Open > > CVE-2018-17197 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17197> > org.apache.tika > : tika-parsers : 1.19.1 Open > > CVE-2019-10093 org.apache.tika : tika-parsers : > 1.19.1 Open > > sonatype-2018-0469 org.apache.zookeeper : zookeeper : > 3.5.5 Open > > CVE-2018-17197 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17197> > org.ikasan > : ikasan-solr-distribution : zip : 3.0.0 Open > > CVE-2019-10093 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10093> > org.ikasan > : ikasan-solr-distribution : zip : 3.0.0 Open > > sonatype-2014-0026 org.ikasan : ikasan-solr-distribution : zip : > 3.0.0 Open > > sonatype-2018-0330 org.ikasan : ikasan-solr-distribution : zip : > 3.0.0 Open > > *5 *CVE-2009-2625 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625> > apache-xerces > : xercesImpl : 2.9.1 Open > > sonatype-2017-0348 apache-xerces : xercesImpl : > 2.9.1 Open > > sonatype-2012-0050 commons-codec : commons-codec : > 1.11 Open > > sonatype-2014-0173 commons-fileupload : commons-fileupload : > 1.3.3 Open > > sonatype-2020-0026 io.netty : netty-handler : > 4.1.29.Final Open > > CVE-2012-2098 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098> > org.apache.ant > : ant : 1.8.2 Open > > CVE-2019-12415 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12415> > org.apache.poi > : poi-ooxml : 4.0.0 Open > > CVE-2018-8010 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8010> > org.apache.solr > : solr-core : 8.4.1 Open > > CVE-2009-2625 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625> > org.ikasan > : ikasan-solr-distribution : zip : 3.0.0 Open > > CVE-2012-2098 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098> > org.ikasan > : ikasan-solr-distribution : zip : 3.0.0 Open > > CVE-2018-8010 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8010> > org.ikasan > : ikasan-solr-distribution : zip : 3.0.0 Open > > CVE-2019-12415 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12415> > org.ikasan > : ikasan-solr-distribution : zip : 3.0.0 Open > > sonatype-2012-0050 org.ikasan : ikasan-solr-distribution : zip : > 3.0.0 Open > > sonatype-2014-0173 org.ikasan : ikasan-solr-distribution : zip : > 3.0.0 Open > > sonatype-2017-0348 org.ikasan : ikasan-solr-distribution : zip : > 3.0.0 Open > > *4 *sonatype-2017-0492 com.sun.mail : > javax.mail : 1.5.1 Open > > sonatype-2017-0492 org.ikasan : ikasan-solr-distribution : zip : > 3.0.0 Open > > > > > > *Christopher Ahlberg* > > Director > > Middleware Plat & Foundation > > DTCC New York > > +1 212 855-3995 | cahlb...@dtcc.com <n...@dtcc.com> > > > > Visit us at www.dtcc.com or connect with us on LinkedIn > <https://www.linkedin.com/company/6915?trk=tyah&trkInfo=clickedVertical%3Acompany%2CclickedEntityId%3A6915%2Cidx%3A4-2-11%2CtarId%3A1469742786610%2Ctas%3Adtcc>, > Twitter <https://twitter.com/The_DTCC>, Facebook > <https://www.facebook.com/thedtcc> and YouTube > <https://www.youtube.com/channel/UCi4dnJzd498IvBqP3wnUqpA>. > > To learn about career opportunities at DTCC, please visit careers.dtcc.com > . > > > DTCC DISCLAIMER: This email and any files transmitted with it are > confidential and intended solely for the use of the individual or entity to > whom they are addressed. If you have received this email in error, please > notify us immediately and delete the email and any attachments from your > system. The recipient should check this email and any attachments for the > presence of viruses. The company accepts no liability for any damage caused > by any virus transmitted by this email. >
