...
Reported vulnerabilities (CVEs) are listed on the security news section on Solr's website.
Known false positives, which used to be listed on this wiki page, are also now listed on the Security web page.
| Table of Contents |
|---|
| Warning |
|---|
If you believe you have discovered a vulnerability in Solr, please follow these ASF guidelines for reporting it. |
...
Streaming is disabled by default and is configured from solrconfig.xml
| No Format |
|---|
<requestParsers enableRemoteStreaming="false" ... />
|
...
Solr includes many dependencies which may trigger warnings from a vulnerability scan but which the Solr community has determined that they are false positives. As a general rule, the Solr PMC will not accept the output of a vulnerability scan as a security report.
The following table lists the dependencies and associated CVEs which are not considered problems for Solr.
...
Solr Versions
...
Jar or Path
...
Related CVEs
...
Date Added
...
Status & Notes
...
5.4.0-today
...
carrot2-guava-18.0.jar
...
2018-10237
...
31 Dec 2018
...
Only used with the Carrot2 clustering engine.
...
4.9.0-7.5.0
...
commons-beanutils-1.8.3.jar
...
2014-0114
...
6 Jun 2018
...
This is only used at compile time and it cannot be used to attack Solr. Since it is generally unnecessary, the dependency has been removed as of 7.5.0. See SOLR-12617.
...
4.6.0-today
...
commons-compress (only as part of Ant 1.8.2)
...
2012-2098, 2018-1324, 2018-11771
...
31 Dec 2018
...
Only used in test framework and at build time.
...
4.6.0-today
...
derby-10.9.1.0.jar
...
3 Nov 2018
...
Used only in DataImportHandler tests and example implementation, which should not be used in production.
...
4.6.0-today
...
dom4j-1.6.1.jar
...
2018-1000632
...
31 Dec 2018
...
Only used in Solr tests.
...
4.6.0-today
...
guava-*.jar
...
2018-10237, etc.
...
31 Dec 2018
...
Only used in tests.
...
6.6.1-7.6.0
...
hadoop-auth-2.7.4.jar, hadoop-hdfs-2.7.4.jar (all Hadoop)
...
...
6 Jun 2018
...
Does not impact Solr because Solr uses Hadoop as a client library.
...
6.0.0-7.5.0
...
icu4j-56.1.jar, icu4j-59.1.jar
...
2017-14952
...
6 Jun 2018
...
Issue applies only to the C++ release of ICU and not ICU4J, which is what Lucene uses. ICU4J is at v63.2 as of Lucene/Solr 7.6.0
...
4.7.0-today
...
jackson-databind-*.jar
...
2017-15095, 2017-17485, 2017-7525, 2018-5968, 2018-7489, 2019-12086, 2019-12384, 2018-12814, 2019-14379, 2019-14439, 2020-35490, 2020-35491, 2021-20190
2019-14540, 2019-16335
...
6 Jun 2018
...
Two CVEs, 2019-14540 & 2019-16335, are related to HikariConfig and HikariDataSource classes, neither of which are used in Solr's code base.
...
to present
...
4.6.0-7.6.0
...
junit-4.10.jar
...
2018-1000056
...
31 Dec 2018
...
JUnit only used in tests; CVE only refers to a Jenkins plugin not used by Solr.
...
7.3.1
...
lucene-analyzers-icu-7.3.1.jar
...
2014-7940, 2016-6293, 2016-7415, 2017-14952, 2017-17484, 2017-7867, 2017-7868
...
6 Jun 2018
...
All of these issues apply to the C++ release of ICU and not ICU4J, which is what Lucene uses.
...
5.2.0-today
...
org.restlet-2.3.0.jar
...
2017-14868, 2017-14949
...
31 Dec 2018
...
Solr should not be exposed outside a firewall where bad actors can send HTTP requests.
These two CVEs specifically involve classes (SimpleXMLProvider and XmlRepresentation, respectively) that Solr does not use in any code path.
...
6.5.0-today
...
protobuf-java-3.1.0.jar
...
...
3 Nov 2018
...
Dependency for Hadoop and Calcite. ??
...
5.4.0-7.7.2, 8.0-8.3
...
simple-xml-2.7.1.jar
...
2018-1471
...
3 Jan 2019
...
Dependency of Carrot2 and used during compilation, not at runtime (see SOLR-769).
This .jar was replaced in Solr 8.3 and backported to 7.7.3 (see SOLR-13779).
...
4.x-today
...
slf4j-api-1.7.24.jar, jcl-over-slf4j-1.7.24.jar, jul-to-slf4j-1.7.24.jar
...
2018-8088
...
6 Feb 2019
...
The reported CVE impacts org.slf4j.ext.EventData, which is not used in Solr.
...
7.3.1-7.5.0
...
tika-core.1.17.jar (and earlier)
...
2018-1335
...
6 Jun 2018
...
Solr does not run tika-server, so this is not a problem.
...
7.3.1-today
...
tika-core.*.jar (all versions)
...
various
...
6 Jun 2018
...
All Tika issues that could be Solr vulnerabilities would only be exploitable if untrusted files are indexed with SolrCell. This is not recommended in production systems, so Solr does not consider these valid CVEs for Solr.
...
6.6.2-today
...
velocity-tools-2.0.jar contains Apache Struts 2.0.0
...
...
3 Nov 2018
...
Solr does not ship a Struts jar. This is a transitive POM listing and not included with Solr (see comment in SOLR-2849).
...
5.5.5, 6.2.0-today
...
vorbis-java-tika-0.8.jar
...
2016-6809, 2018-1335, 2018-1338, 2018-1339
...
6 Jun 2018
...
See
...
; reported CVEs are not related to OggVorbis at all.
...
~2.9-today
...
xercesImpl-2.9.1.jar
...
...
6 Jun 2018
...
See the web site Security page for more details on Solr's security status. NOTE: The table that used to be on this page is now on the web site