Uploaded image for project: 'Solr Search Provider'
  1. Solr Search Provider
  2. MGNLEESOLR-229

Remove forced update dependencies when CVEs are fixed by solrj

    XMLWordPrintable

Details

    • Task
    • Resolution: Unresolved
    • Neutral
    • None
    • None
    • None

    Description

      Currently we force update snappy-java, jetty and zookeeper libs brought by solrj to avoid security vulnerabilities. 
      This should be removed when the security vulnerabilities are fixed by a new solrj version.
      For now the latest 8 version - 8.11.2 solrj has not fixed the issues yet.

      Details for the fixed CVE: 

      MGNLEESOLR-192 jetty-http-9.4.44.v20210927: CVE-2022-2047

      MGNLEESOLR-197 snappy-java: CVE-2023-34455, CVE-2023-34454, CVE-2023-34453

      MGNLEESOLR-219
      jetty:
      http2-client-9.4.51.v20230217.jar: CVE-2023-36479, CVE-2023-40167, CVE-2023-41900
      jetty-io-9.4.51.v20230217.jar: CVE-2023-36479, CVE-2023-40167, CVE-2023-41900
      http2-common-9.4.52.v20230823.jar: CVE-2023-44487

      snappy-java-1.1.10.1.jar: CVE-2023-43642

      MGNLEESOLR-224 zookeeper-3.6.2.jar: CVE-2023-44981

      Checklists

        Acceptance criteria

        Attachments

          Activity

            People

              Unassigned Unassigned
              anh.vu Anh Vu
              DeveloperX
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:

                Checklists

                  Task DoR