lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gus Heck <gus.h...@gmail.com>
Subject Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report
Date Fri, 04 Jan 2019 18:27:42 GMT
Hi Bob,

Wrt licensing keep in mind that multi licensed software allows you to
choose which license you are using the software under. Also there's some
good detail on the Apache policy here:

https://www.apache.org/legal/resolved.html#what-can-we-not-include-in-an-asf-project-category-x

One has to be careful with license scanners, often they have very
conservative settings. I had to spend untold hours getting jfrog's license
plugin to select the correct license and hunting down missing licenses when
I finally sorted out licensing for JesterJ. (though MANY fewer hours than
if I had done this by hand!)

On Fri, Jan 4, 2019, 11:17 AM Bob Hathaway <robh32019@gmail.com wrote:

> The most important feature of any software running today is that it can be
> run at all. Security vulnerabilities can preclude software from running in
> enterprise environments. Today software must be free of critical and severe
> security vulnerabilities or they can't be run at all from Information
> Security policies. Enterprises today run security scan software to check
> for security and licensing vulnerabilities because today most organizations
> are using open source software where this has become most relevant.
> Forrester has a good summary on the need for software composition analysis
> tools which virtually all enterprises run today befor allowing software to
> run in production environments:
>
> https://www.blackducksoftware.com/sites/default/files/images/Downloads/Reports/USA/ForresterWave-Rpt.pdf
>
> Solr version 6.5 passes security scans showing no critical security
> issues.  Solr version 7 fails security scans with over a dozen critical and
> severe security vulnerabilities for Solr version from 7.1.  Then we ran
> scans against the latest Solr version 7.6 which failed as well.  Most of
> the issues are due to using old libraries including the JSON Jackson
> framework, Dom 4j and Xerces and should be easy to bring up to date. Only
> the latest version of SimpleXML has severe security vulnerabilities. Derby
> leads the most severe security violations at Level 9.1 by using an out of
> date version.
>
> What good is software or any features if enterprises can't run them?
> Today software cybersecurity is a top priority and risk for enterprises.
> Solr version 6.5 is very old exposing the zookeeper backend from the SolrJ
> client which is a differentiating capability.
>
> Is security and remediation a priority for SolrJ?  I believe this should be
> a top feature to allow SolrJ to continue providing search features to
> enterprises and a security roadmap and plan to keep Solr secure and usable
> by continually adapting and improving in the ever changing security
> landscape and ecosystem.  The Darby vulnerability issue CVE-2015-1832 was a
> passing medium Level 6.2  issue in CVSS 2.0 last year but is the most
> critical issue with Solr 7.6 at Level 9.1 in this year's CVSS 3.0.  These
> changes need to be tracked and updates and fixes incorporated into new Solr
> versions.
> https://nvd.nist.gov/vuln/detail/CVE-2015-1832
>
> On Thu, Jan 3, 2019 at 12:19 PM Bob Hathaway <robh32019@gmail.com> wrote:
>
> > Critical and Severe security vulnerabilities against Solr v7.1.  Many of
> > these appear to be from old open source  framework versions.
> >
> > *9* CVE-2017-7525 com.fasterxml.jackson.core : jackson-databind : 2.5.4
> > Open
> >
> >    CVE-2016-1000031 commons-fileupload : commons-fileupload : 1.3.2 Open
> >
> >    CVE-2015-1832 org.apache.derby : derby : 10.9.1.0 Open
> >
> >    CVE-2017-7525 org.codehaus.jackson : jackson-mapper-asl : 1.9.13 Open
> >
> >    CVE-2017-7657 org.eclipse.jetty : jetty-http : 9.3.20.v20170531 Open
> >
> >    CVE-2017-7658 org.eclipse.jetty : jetty-http : 9.3.20.v20170531 Open
> >
> >    CVE-2017-1000190 org.simpleframework : simple-xml : 2.7.1 Open
> >
> > *7* sonatype-2016-0397 com.fasterxml.jackson.core : jackson-core : 2.5.4
> > Open
> >
> >    sonatype-2017-0355 com.fasterxml.jackson.core : jackson-core : 2.5.4
> > Open
> >
> >    CVE-2014-0114 commons-beanutils : commons-beanutils : 1.8.3 Open
> >
> >    CVE-2018-1000632 dom4j : dom4j : 1.6.1 Open
> >
> >    CVE-2018-8009 org.apache.hadoop : hadoop-common : 2.7.4 Open
> >
> >    CVE-2017-12626 org.apache.poi : poi : 3.17-beta1 Open
> >
> >    CVE-2017-12626 org.apache.poi : poi-scratchpad : 3.17-beta1 Open
> >
> >    CVE-2018-1308 org.apache.solr : solr-dataimporthandler : 7.1.0 Open
> >
> >    CVE-2016-4434 org.apache.tika : tika-core : 1.16 Open
> >
> >    CVE-2018-11761 org.apache.tika : tika-core : 1.16 Open
> >
> >    CVE-2016-1000338 org.bouncycastle : bcprov-jdk15 : 1.45 Open
> >
> >    CVE-2016-1000343 org.bouncycastle : bcprov-jdk15 : 1.45 Open
> >
> >    CVE-2018-1000180 org.bouncycastle : bcprov-jdk15 : 1.45 Open
> >
> >    CVE-2017-7656 org.eclipse.jetty : jetty-http : 9.3.20.v20170531 Open
> >
> >    CVE-2012-0881 xerces : xercesImpl : 2.9.1 Open
> >
> >    CVE-2013-4002 xerces : xercesImpl : 2.9.1 Open
> >
> > On Thu, Jan 3, 2019 at 12:15 PM Bob Hathaway <robh32019@gmail.com>
> wrote:
> >
> >> We want to use SOLR v7 but Sonatype scans past v6.5 show dozens of
> >> critical and severe security issues and dozens of licensing issues. The
> >> critical security violations using Sonatype are inline and are indexed
> with
> >> codes from the National Vulnerability Database,
> >>
> >> Are there recommended steps for running Solr 7 in secure enterprises
> >> specifically infosec remediation over Sonatype Application Composition
> >> Reports?
> >>
> >> Are there plans to make Solr more secure in v7 or v8?
> >>
> >> I'm new to the Solr User forum and suggests are welcome.
> >>
> >>
> >> Sonatype Application Composition Reports
> >> Of Solr - 7.6.0, Build Scanned On Thu Jan 03 2019 at 14:49:49
> >> Using Scanner 1.56.0-01
> >>
> >> [image: image.png]
> >>
> >> [image: image.png]
> >>
> >> [image: image.png]
> >>
> >> Security Issues
> >> Threat Level Problem Code Component Status
> >> 9 CVE-2015-1832 org.apache.derby : derby : 10.9.1.0 Open
> >> CVE-2017-7525 org.codehaus.jackson : jackson-mapper-asl : 1.9.13 Open
> >> CVE-2017-1000
> >> 190
> >> org.simpleframework : simple-xml : 2.7.1 Open
> >> 8 CVE-2018-1471
> >> 8
> >> com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open
> >> CVE-2018-1471
> >> 9
> >> com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open
> >> sonatype-2017-
> >> 0312
> >> com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open
> >> 7 CVE-2018-1472
> >> 0
> >> com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open
> >> CVE-2018-1472
> >> 1
> >> com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open
> >> CVE-2018-1000
> >> 632
> >> dom4j : dom4j : 1.6.1 Open
> >> CVE-2018-8009 org.apache.hadoop : hadoop-common : 2.7.4 Open
> >> CVE-2012-0881 xerces : xercesImpl : 2.9.1 Open
> >> CVE-2013-4002 xerces : xercesImpl : 2.9.1 Open
> >>
> >>
> >> License Analysis
> >> License Threat Component Status
> >> MPL-1.1, GPL-2.0+ or
> >> LGPL-2.1+ or MPL-1.1
> >> com.googlecode.juniversalchardet : juniversalchardet : 1.0.3 Open
> >> Apache-2.0, AFL-2.1 or
> >> GPL-2.0+
> >> org.ccil.cowan.tagsoup : tagsoup : 1.2.1 Open
> >> Not Declared, Not
> >> Supported
> >> d3 2.9.6 Open
> >> BSD-3-Clause, Adobe com.adobe.xmp : xmpcore : 5.1.3 Open
> >> Apache-2.0, No Source
> >> License
> >> com.cybozu.labs : langdetect : 1.1-20120112 Open
> >> Apache-2.0, No Source
> >> License
> >> com.fasterxml.jackson.core : jackson-annotations : 2.9.6 Open
> >> Apache-2.0, No Source
> >> License
> >> com.fasterxml.jackson.core : jackson-core : 2.9.6 Open
> >> Apache-2.0, No Source
> >> License
> >> com.fasterxml.jackson.core : jackson-databind : 2.9.6 Open
> >> Apache-2.0, No Source
> >> License
> >> com.fasterxml.jackson.dataformat : jackson-dataformat-smile : 2.9.6 Open
> >> Apache-2.0, EPL-1.0, MIT com.googlecode.mp4parser : isoparser : 1.1.22
> >> Open
> >> Not Provided, No Source
> >> License
> >> com.ibm.icu : icu4j : 62.1 Open
> >> Apache-2.0, LGPL-3.0+ com.pff : java-libpst : 0.8.1 Open
> >> Apache-2.0, No Source
> >> License
> >> com.rometools : rome-utils : 1.5.1 Open
> >> CDDL-1.1 or GPL-2.0-
> >> CPE
> >> com.sun.mail : gimap : 1.5.1 Open
> >> CDDL-1.1 or GPL-2.0-
> >> CPE
> >> com.sun.mail : javax.mail : 1.5.1 Open
> >> Not Declared,
> >> Apache-1.1, Sun-IP
> >> dom4j : dom4j : 1.6.1 Open
> >> MIT, No Source License info.ganglia.gmetric4j : gmetric4j : 1.0.7 Open
> >> Apache-2.0, No Source
> >> License
> >> io.dropwizard.metrics : metrics-ganglia : 3.2.6 Open
> >> Apache-2.0, No Source
> >> License
> >> io.dropwizard.metrics : metrics-graphite : 3.2.6 Open
> >> Apache-2.0, No Source
> >> License
> >> io.dropwizard.metrics : metrics-jetty9 : 3.2.6 Open
> >> Apache-2.0, No Source
> >> License
> >> io.dropwizard.metrics : metrics-jvm : 3.2.6 Open
> >> Apache-2.0, No Source
> >> License
> >> io.prometheus : simpleclient_common : 0.2.0 Open
> >> Apache-2.0, No Source
> >> License
> >> io.prometheus : simpleclient_httpserver : 0.2.0 Open
> >> CDDL-1.0, CDDL-1.1 or
> >> GPL-2.0-CPE
> >> javax.activation : activation : 1.1.1 Open
> >> CDDL-1.0 or GPL-2.0-
> >> CPE, Apache-2.0,
> >> CDDL-1.1 or GPL-2.0-
> >> CPE
> >> javax.servlet
> >>
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message