FileCloud Security Response Notifications
| FileCloud Versions | Component | Related CVEs | Date Added | Status and Notes |
|---|---|---|---|---|
| <21.3.7 | Solr - Apache Commons Text | CVE-2022-42889 | 20 Oct 2022 | Solr uses commons-text directly (StringEscapeUtils.escapeEcmaScript) in LoadAdminUiServlet that is not vulnerable. Solr also has a "hadoop-auth" module that uses Apache Hadoop which uses commons-text through commons-configuration2. For Solr, the concern is limited to loading Hadoop configuration files that would only ever be provided by trusted administrators, not externally (untrusted). |
| <22.1.0.20845 | Solr | CVE-2022-39135 | 20 Nov 2022 | Apache Calcite has a vulnerability, CVE-2022-39135, that is exploitable in Apache Solr in SolrCloud mode. If an untrusted user can supply SQL queries to Solr’s “/sql” handler (even indirectly via proxies/other apps), then the user could perform an XML External Entity (XXE) attack. Mitigation : If, like most Solr installations, yours does not use SQL functionality, you can follow the standard Solr security advice of using a firewall. If your Solr installation does use SQL functionality, refer to https://solr.apache.org/security.html#apache-solr-is-vulnerable-to-cve-2022-39135-via-sql-handler to disable it. NOTE: FileCloud does not make Solr publicly available by default. FileCloud does not use SolrCloud, and SolrCloud is not publicly available by default. |