Is Apache Solr vulnerable to 'CVE-2022-39135' via /sql handler?
Article ID: KB0070401
Updated On:
| Products | Versions |
|---|---|
| ibi WebFOCUS | All, |
Description
- Is Apache Solr vulnerable to 'CVE-2022-39135' via /sql handler?
Versions Affected:
Solr 6.5 to 8.11.2 Solr 9.0
Description:
Apache Calcite has a vulnerability, CVE-2022-39135, that is exploitable in Apache Solr in SolrCloud mode.
Versions Affected:
Solr 6.5 to 8.11.2 Solr 9.0
Description:
Apache Calcite has a vulnerability, CVE-2022-39135, that is exploitable in Apache Solr in SolrCloud mode.
Issue/Introduction
Is Apache Solr vulnerable to 'CVE-2022-39135' via /sql handler?
Environment
All
Resolution
Answer : No
Reference : https://solr.apache.org/security.html
2022-11-20, Apache Solr is vulnerable to CVE-2022-39135 via /sql handler
Note the vulnerability is only exposed when running in SolrCloud mode.
Information on SolrCloud
https://solr.apache.org/guide/6_6/getting-started-with-solrcloud.html
WebFOCUS does not run Solr in SolrCloud mode by default. If the customer is not running with SolrCloud then they aren't vulnerable per the CVE.
If you wish to pursue applying remediation, you can upgrade to a version of Solr that resolves CVE-2022-39135.
Reference : https://solr.apache.org/security.html
2022-11-20, Apache Solr is vulnerable to CVE-2022-39135 via /sql handler
Note the vulnerability is only exposed when running in SolrCloud mode.
Information on SolrCloud
https://solr.apache.org/guide/6_6/getting-started-with-solrcloud.html
WebFOCUS does not run Solr in SolrCloud mode by default. If the customer is not running with SolrCloud then they aren't vulnerable per the CVE.
If you wish to pursue applying remediation, you can upgrade to a version of Solr that resolves CVE-2022-39135.
Additional Information
- https://solr.apache.org/security.html#apache-solr-is-vulnerable-to-cve-2022-39135-via-sql-handler
- https://www.openwall.com/lists/oss-security/2022/11/21/3
- https://www.openwall.com/lists/oss-security/2022/11/21/3
Feedback
Yes
No
Powered by
