Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-15844

Upgrade Velocity to v2.3

Agile BoardAttach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • 8.11
    • 8.11.1
    • None
    • None

    Description

      Latest Version of Solr 8.11 bundles Apache Velocity 2.0 jar that has the following vulnerabilities:

       

      Vulnerability Details

      CVE-2020-13936

      Vulnerability Published: 2021-03-10 03:15 EST
      Vulnerability Updated: 2021-09-23 08:21 EDT
      CVSS Score: 8.8 (overall), 8.8 (base)

      Summary: An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

      Solution: N/A

      Workaround: N/A

      BDSA-2021-0710

      Vulnerability Published: 2021-03-22 12:01 EDT
      Vulnerability Updated: 2021-11-08 09:16 EST
      CVSS Score: 7.9 (overall), 8.8 (base)

      Summary: Apache Velocity is vulnerable to remote code execution (RCE) and arbitrary command execution due to how the SecureUberspector functionality does not sufficiently prevent access to dangerous classes and packages.

      An attacker with the ability to modify Velocity templates could use this issue to execute arbitrary Java code or system commands with the privileges of the account running the Servlet container.

      Solution: Fixed in 2.3-rc1 by this commit.

      The latest stable releases are available here.

      Workaround: N/A

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            janhoy Jan Høydahl
            wcmrnd1 wcmrnd1
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - Not Specified
              Not Specified
              Remaining:
              Remaining Estimate - 0h
              0h
              Logged:
              Time Spent - 40m
              40m

              Slack

                Issue deployment