On 7/24/2020 2:35 PM, Man with No Name wrote:
This version of jackson is pulled in as a shadow jar. Also solr is using io.netty version 4.1.29.Final which has critical vulnerabilities which are fixed in 4.1.44.
It looks like that shaded jackson library is included in the jar for htrace. I looked through the commit history and learned that htrace is included for the HDFS support in Solr. Which means that if you are not using the HDFS capability, then htrace will not be used, so the older jackson library will not be used either.
If you are not using TLS connections from SolrCloud to ZooKeeper, then your install of Solr will not be using the netty library, and vulnerabilities in netty will not apply.
The older version of Guava is pulled in with a jar from carrot2. If your Solr install does not use carrot2 clustering, then that version of Guava will never be called.
The commons-compress and tika libraries are only used if you have configured the extraction contrib, also known as SolrCell. This contrib module is used to index rich-text documents, such as PDF and Word. Because it makes Solr unstable, we strongly recommend that nobody should use SolrCell in production. When rich-text documents need to be indexed, it should be accomplished by using Tika outside of Solr... and if that recommendation is followed, you can control the version used so that the well-known vulnerabilities will not be present.
We have always recommended that Solr should be located in a network place that can only be reached by systems and people who are authorized. If that is done, then nobody will be able to exploit any vulnerabilities that might exist in Solr unless they first successfully break into an authorized system.
We do take these reports of vulnerabilities seriously and close them as quickly as we can.
Thanks, Shawn
