lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Hathaway <robh32...@gmail.com>
Subject Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report
Date Thu, 03 Jan 2019 18:19:56 GMT
Critical and Severe security vulnerabilities against Solr v7.1.  Many of
these appear to be from old open source  framework versions.

*9* CVE-2017-7525 com.fasterxml.jackson.core : jackson-databind : 2.5.4
Open

   CVE-2016-1000031 commons-fileupload : commons-fileupload : 1.3.2 Open

   CVE-2015-1832 org.apache.derby : derby : 10.9.1.0 Open

   CVE-2017-7525 org.codehaus.jackson : jackson-mapper-asl : 1.9.13 Open

   CVE-2017-7657 org.eclipse.jetty : jetty-http : 9.3.20.v20170531 Open

   CVE-2017-7658 org.eclipse.jetty : jetty-http : 9.3.20.v20170531 Open

   CVE-2017-1000190 org.simpleframework : simple-xml : 2.7.1 Open

*7* sonatype-2016-0397 com.fasterxml.jackson.core : jackson-core : 2.5.4
Open

   sonatype-2017-0355 com.fasterxml.jackson.core : jackson-core : 2.5.4
Open

   CVE-2014-0114 commons-beanutils : commons-beanutils : 1.8.3 Open

   CVE-2018-1000632 dom4j : dom4j : 1.6.1 Open

   CVE-2018-8009 org.apache.hadoop : hadoop-common : 2.7.4 Open

   CVE-2017-12626 org.apache.poi : poi : 3.17-beta1 Open

   CVE-2017-12626 org.apache.poi : poi-scratchpad : 3.17-beta1 Open

   CVE-2018-1308 org.apache.solr : solr-dataimporthandler : 7.1.0 Open

   CVE-2016-4434 org.apache.tika : tika-core : 1.16 Open

   CVE-2018-11761 org.apache.tika : tika-core : 1.16 Open

   CVE-2016-1000338 org.bouncycastle : bcprov-jdk15 : 1.45 Open

   CVE-2016-1000343 org.bouncycastle : bcprov-jdk15 : 1.45 Open

   CVE-2018-1000180 org.bouncycastle : bcprov-jdk15 : 1.45 Open

   CVE-2017-7656 org.eclipse.jetty : jetty-http : 9.3.20.v20170531 Open

   CVE-2012-0881 xerces : xercesImpl : 2.9.1 Open

   CVE-2013-4002 xerces : xercesImpl : 2.9.1 Open

On Thu, Jan 3, 2019 at 12:15 PM Bob Hathaway <robh32019@gmail.com> wrote:

> We want to use SOLR v7 but Sonatype scans past v6.5 show dozens of
> critical and severe security issues and dozens of licensing issues. The
> critical security violations using Sonatype are inline and are indexed with
> codes from the National Vulnerability Database,
>
> Are there recommended steps for running Solr 7 in secure enterprises
> specifically infosec remediation over Sonatype Application Composition
> Reports?
>
> Are there plans to make Solr more secure in v7 or v8?
>
> I'm new to the Solr User forum and suggests are welcome.
>
>
> Sonatype Application Composition Reports
> Of Solr - 7.6.0, Build Scanned On Thu Jan 03 2019 at 14:49:49
> Using Scanner 1.56.0-01
>
> [image: image.png]
>
> [image: image.png]
>
> [image: image.png]
>
> Security Issues
> Threat Level Problem Code Component Status
> 9 CVE-2015-1832 org.apache.derby : derby : 10.9.1.0 Open
> CVE-2017-7525 org.codehaus.jackson : jackson-mapper-asl : 1.9.13 Open
> CVE-2017-1000
> 190
> org.simpleframework : simple-xml : 2.7.1 Open
> 8 CVE-2018-1471
> 8
> com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open
> CVE-2018-1471
> 9
> com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open
> sonatype-2017-
> 0312
> com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open
> 7 CVE-2018-1472
> 0
> com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open
> CVE-2018-1472
> 1
> com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open
> CVE-2018-1000
> 632
> dom4j : dom4j : 1.6.1 Open
> CVE-2018-8009 org.apache.hadoop : hadoop-common : 2.7.4 Open
> CVE-2012-0881 xerces : xercesImpl : 2.9.1 Open
> CVE-2013-4002 xerces : xercesImpl : 2.9.1 Open
>
>
> License Analysis
> License Threat Component Status
> MPL-1.1, GPL-2.0+ or
> LGPL-2.1+ or MPL-1.1
> com.googlecode.juniversalchardet : juniversalchardet : 1.0.3 Open
> Apache-2.0, AFL-2.1 or
> GPL-2.0+
> org.ccil.cowan.tagsoup : tagsoup : 1.2.1 Open
> Not Declared, Not
> Supported
> d3 2.9.6 Open
> BSD-3-Clause, Adobe com.adobe.xmp : xmpcore : 5.1.3 Open
> Apache-2.0, No Source
> License
> com.cybozu.labs : langdetect : 1.1-20120112 Open
> Apache-2.0, No Source
> License
> com.fasterxml.jackson.core : jackson-annotations : 2.9.6 Open
> Apache-2.0, No Source
> License
> com.fasterxml.jackson.core : jackson-core : 2.9.6 Open
> Apache-2.0, No Source
> License
> com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open
> Apache-2.0, No Source
> License
> com.fasterxml.jackson.dataformat : jackson-dataformat-smile : 2.9.6 Open
> Apache-2.0, EPL-1.0, MIT com.googlecode.mp4parser : isoparser : 1.1.22 Open
> Not Provided, No Source
> License
> com.ibm.icu : icu4j : 62.1 Open
> Apache-2.0, LGPL-3.0+ com.pff : java-libpst : 0.8.1 Open
> Apache-2.0, No Source
> License
> com.rometools : rome-utils : 1.5.1 Open
> CDDL-1.1 or GPL-2.0-
> CPE
> com.sun.mail : gimap : 1.5.1 Open
> CDDL-1.1 or GPL-2.0-
> CPE
> com.sun.mail : javax.mail : 1.5.1 Open
> Not Declared,
> Apache-1.1, Sun-IP
> dom4j : dom4j : 1.6.1 Open
> MIT, No Source License info.ganglia.gmetric4j : gmetric4j : 1.0.7 Open
> Apache-2.0, No Source
> License
> io.dropwizard.metrics : metrics-ganglia : 3.2.6 Open
> Apache-2.0, No Source
> License
> io.dropwizard.metrics : metrics-graphite : 3.2.6 Open
> Apache-2.0, No Source
> License
> io.dropwizard.metrics : metrics-jetty9 : 3.2.6 Open
> Apache-2.0, No Source
> License
> io.dropwizard.metrics : metrics-jvm : 3.2.6 Open
> Apache-2.0, No Source
> License
> io.prometheus : simpleclient_common : 0.2.0 Open
> Apache-2.0, No Source
> License
> io.prometheus : simpleclient_httpserver : 0.2.0 Open
> CDDL-1.0, CDDL-1.1 or
> GPL-2.0-CPE
> javax.activation : activation : 1.1.1 Open
> CDDL-1.0 or GPL-2.0-
> CPE, Apache-2.0,
> CDDL-1.1 or GPL-2.0-
> CPE
> javax.servlet
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message