lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shawn Heisey <apa...@elyograg.org>
Subject Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report
Date Fri, 04 Jan 2019 19:48:55 GMT
On 1/3/2019 11:15 AM, Bob Hathaway wrote:
> We want to use SOLR v7 but Sonatype scans past v6.5 show dozens of 
> critical and severe security issues and dozens of licensing issues.

None of the images that you attached to your message are visible to us.  
Attachments are regularly stripped by Apache mailing lists and cannot be 
relied on.

Some of the security issues you've mentioned could be problems.  But if 
you follow recommendations and make sure that Solr is not directly 
accessible to unauthorized parties, it will not be possible for those 
parties to exploit security issues without first finding and exploiting 
a vulnerability on an authorized system.

Vulnerabilities in SolrJ, if any exist, are slightly different, but 
unless unauthorized parties have the ability to *directly* send input to 
SolrJ code without intermediate code sanitizing the input, they will not 
be able to exploit those vulnerabilities. JSON support in SolrJ is 
provided by noggit, not jackson, and JSON/XML are not used by recent 
versions of SolrJ unless they are very specifically requested by the 
programmer.  Are there any vulnerabilities you've found that affect 
SolrJ itself, separately from the rest of Solr?

As we become aware of issues with either project code or third-party 
software, we get them fixed.  Sometimes it is not completely 
straightforward to upgrade to newer versions of third-party software, 
but staying current is a priority.

Licensing issues are of major concern to the entire Apache Foundation.  
As a project, we are unaware of any licensing problems at this time.  
All of the third-party software that is included with Solr should be 
available under a license that is compatible with the Apache license.  I 
didn't examine the list you sent super closely, but what I did look at 
didn't look like a problem.

https://www.apache.org/legal/resolved.html#category-b

The mere presence of GPL in the available licenses for third party 
software is not an indication of a problem.  If that were the ONLY 
license available, then it would be a problem.

Thanks,
Shawn


Mime
View raw message