Hyland Community
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Alfresco community edition and Apache Solr 6.6.5 vulnerabilities

gilles_lafargue
Champ in-the-making
Champ in-the-making

‎06-11-2024 04:31 AM

Hi,

What is the position of the Alfresco community regarding the dependency with Apache Solr6.6.5 and the CVEs identified on this version (see an extract of the CVEs that can impact Solr in an Alfresco context).

Is there a plan to upgrade to Apache Solr 9.6.1? or an opening to elastic search (not only for the enterprise version)?

CVE-2023-50291

2024-02-08

Apache Solr peut divulguer certains mots de passe en raison d’incohérences dans la logique de rédaction des pro...

Modérée

Apache Solr 6.0.0 à 8.11.2

Apache Solr 9.0.0 avant la version 9.3.0

CVE-2023-50386

2024-02-08

Apache Solr : les API de sauvegarde/restauration permettent le déploiement d’exécutables dans des ConfigSet malveillants

Modérée

Apache Solr 6.0.0 à 8.11.2

Apache Solr 9.0.0 avant la version 9.4.1

CVE-2020-13957

2020-10-12

Les vérifications ajoutées aux téléchargements de configset non authentifiés dans Apache Solr peuvent être contournées

Haut

6.6.0 à 6.6.6, 7.0.0 à 7.7.3, 8.0.0 à 8.6.2

CVE-2019-17558

2019-12-30

Apache Solr RCE via VelocityResponseWriter

Haut

5.0.0 à 8.3.1

Labels:
0 Kudos
4 REPLIES 4

angelborroy
Community Manager Community Manager
Community Manager

‎06-12-2024 02:09 AM

We're addressing these vulnerabilities for the next release of Search Services, that will happen in the following weeks.

Screenshot 2024-06-11 at 12 11 12

Just to note, that in relation to your specific list of CVEs the release will be patching CVE-2020-13957, CVE-2023-50386and CVE-2023-50291. Since Alfresco is not using VelocityResponseWriter, CVE-2019-17558 is not being addressed.

 

Despite Elasticsearch/OpenSearch is the current focus of development, Search Services is still live and maintained.

Additionally, there will be a Community aided support for OpenSearch later this year. Details are available in https://github.com/AlfrescoLabs/alfresco-lisbon-hack-a-thon-2024?tab=readme-ov-file#projects

Please, let me know if you need additional information.

Hyland Developer Evangelist
0 Kudos

pierre_lorson
Champ in-the-making
Champ in-the-making

2 weeks ago

Hello,

Is there any news on a ETA of the new version of search services ? on github, i can only see the 2.0.11-A3 release.

Thanks in advance.

0 Kudos

angelborroy
Community Manager Community Manager
Community Manager
In response to pierre_lorson

2 weeks ago

Latest version is 2.0.15: https://hub.docker.com/r/alfresco/alfresco-search-services/tags

Hyland Developer Evangelist
0 Kudos

pierre_lorson
Champ in-the-making
Champ in-the-making
In response to angelborroy

2 weeks ago

Thanks for your quick response. I apologize for not finding it.

Still, i'm surprised there's no more tags on github. Also, on the release notes blog posts, i can't see any new zip for the search services.

Are the search services only provided in the form of docker images now ?

Also, is there a changelog somewhere where we can see the treated CVEs ? i can't find it.

Thanks again

0 Kudos
Getting started

Explore our Alfresco products with the links below. Use labels to filter content by product module.

Copyright © 2025 Khoros, LLC
Top