cancel
Showing results for 
Search instead for 
Did you mean: 

Alfresco community edition and Apache Solr 6.6.5 vulnerabilities

gilles_lafargue
Champ in-the-making
Champ in-the-making

Hi,

What is the position of the Alfresco community regarding the dependency with Apache Solr6.6.5 and the CVEs identified on this version (see an extract of the CVEs that can impact Solr in an Alfresco context).

Is there a plan to upgrade to Apache Solr 9.6.1? or an opening to elastic search (not only for the enterprise version)?

CVE-2023-50291

2024-02-08

Apache Solr peut divulguer certains mots de passe en raison d’incohérences dans la logique de rédaction des pro...

Modérée

Apache Solr 6.0.0 à 8.11.2

Apache Solr 9.0.0 avant la version 9.3.0

CVE-2023-50386

2024-02-08

Apache Solr : les API de sauvegarde/restauration permettent le déploiement d’exécutables dans des ConfigSet malveillants

Modérée

Apache Solr 6.0.0 à 8.11.2

Apache Solr 9.0.0 avant la version 9.4.1

CVE-2020-13957

2020-10-12

Les vérifications ajoutées aux téléchargements de configset non authentifiés dans Apache Solr peuvent être contournées

Haut

6.6.0 à 6.6.6, 7.0.0 à 7.7.3, 8.0.0 à 8.6.2

CVE-2019-17558

2019-12-30

Apache Solr RCE via VelocityResponseWriter

Haut

5.0.0 à 8.3.1

1 REPLY 1

angelborroy
Community Manager Community Manager
Community Manager

We're addressing these vulnerabilities for the next release of Search Services, that will happen in the following weeks.

Screenshot 2024-06-11 at 12 11 12

Just to note, that in relation to your specific list of CVEs the release will be patching CVE-2020-13957, CVE-2023-50386and CVE-2023-50291. Since Alfresco is not using VelocityResponseWriter, CVE-2019-17558 is not being addressed.

 

Despite Elasticsearch/OpenSearch is the current focus of development, Search Services is still live and maintained.

Additionally, there will be a Community aided support for OpenSearch later this year. Details are available in https://github.com/AlfrescoLabs/alfresco-lisbon-hack-a-thon-2024?tab=readme-ov-file#projects

Please, let me know if you need additional information.

Hyland Developer Evangelist