Hyland Connect

gilles_lafargue · ‎06-11-2024

Hi,

What is the position of the Alfresco community regarding the dependency with Apache Solr6.6.5 and the CVEs identified on this version (see an extract of the CVEs that can impact Solr in an Alfresco context).

Is there a plan to upgrade to Apache Solr 9.6.1? or an opening to elastic search (not only for the enterprise version)?

CVE-2023-50291	2024-02-08	Apache Solr peut divulguer certains mots de passe en raison d’incohérences dans la logique de rédaction des pro...	Modérée	Apache Solr 6.0.0 à 8.11.2 Apache Solr 9.0.0 avant la version 9.3.0
CVE-2023-50386	2024-02-08	Apache Solr : les API de sauvegarde/restauration permettent le déploiement d’exécutables dans des ConfigSet malveillants	Modérée	Apache Solr 6.0.0 à 8.11.2 Apache Solr 9.0.0 avant la version 9.4.1
CVE-2020-13957	2020-10-12	Les vérifications ajoutées aux téléchargements de configset non authentifiés dans Apache Solr peuvent être contournées	Haut	6.6.0 à 6.6.6, 7.0.0 à 7.7.3, 8.0.0 à 8.6.2
CVE-2019-17558	2019-12-30	Apache Solr RCE via VelocityResponseWriter	Haut	5.0.0 à 8.3.1

angelborroy · ‎06-12-2024

We're addressing these vulnerabilities for the next release of Search Services, that will happen in the following weeks.

Just to note, that in relation to your specific list of CVEs the release will be patching CVE-2020-13957, CVE-2023-50386and CVE-2023-50291. Since Alfresco is not using VelocityResponseWriter, CVE-2019-17558 is not being addressed.

Despite Elasticsearch/OpenSearch is the current focus of development, Search Services is still live and maintained.

Additionally, there will be a Community aided support for OpenSearch later this year. Details are available in https://github.com/AlfrescoLabs/alfresco-lisbon-hack-a-thon-2024?tab=readme-ov-file#projects

Please, let me know if you need additional information.

Hyland Developer Evangelist

Hyland Connect

Alfresco community edition and Apache Solr 6.6.5 vulnerabilities