Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-15855

CVEs in shadowed dependencies

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Implemented
    • 8.11.1
    • None
    • None
    • None

    Description

      Our Solr deployments had a number of CVEs flagged due to shadowed dependencies in some non-core components:

      •  htrace-core4 pulls in jackson-databind, and hasn't been updated in many years since the project shut down around 2016. This leaves around 50 critical CVEs — although it's not clear whether any of these are actually exploitable in the Solr configuration it will generate a lot of noise for Solr users in security-conscious environments.
        This doesn't appear to be a hard dependency for Solr in normal use but I see that the HBase project has a plan to replace it with a shim: https://issues.apache.org/jira/browse/HBASE-24802
      • The test framework pulls in junit4-ant which has an old simple-xml vulnerable to CVE-2017-1000190: /opt/solr-8.11.1/dist/test-framework/lib/junit4-ant-2.7.2.jar

      Attachments

        Issue Links

          is fixed by

          Improvement - An improvement or enhancement to an existing feature or task. SOLR-15470 Stop shipping test-framework jar in binary distro

          • Major - Major loss of function.
          • Closed

          Task - A task that needs to be done. SOLR-16039 Upgrade to Hadoop 3.3.2

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              acdha Chris Adams
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: