Help

Alfresco community edition and Apache Solr 6.6.5 vulnerabilities

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
gilles_lafargue
Partner
‎11 Jun 2024 9:31 AM

Alfresco community edition and Apache Solr 6.6.5 vulnerabilities

Hi,

What is the position of the Alfresco community regarding the dependency with Apache Solr6.6.5 and the CVEs identified on this version (see an extract of the CVEs that can impact Solr in an Alfresco context).

Is there a plan to upgrade to Apache Solr 9.6.1? or an opening to elastic search (not only for the enterprise version)?

CVE-2023-50291

2024-02-08

Apache Solr peut divulguer certains mots de passe en raison d’incohérences dans la logique de rédaction des pro...

Modérée

Apache Solr 6.0.0 à 8.11.2

Apache Solr 9.0.0 avant la version 9.3.0

CVE-2023-50386

2024-02-08

Apache Solr : les API de sauvegarde/restauration permettent le déploiement d’exécutables dans des ConfigSet malveillants

Modérée

Apache Solr 6.0.0 à 8.11.2

Apache Solr 9.0.0 avant la version 9.4.1

CVE-2020-13957

2020-10-12

Les vérifications ajoutées aux téléchargements de configset non authentifiés dans Apache Solr peuvent être contournées

Haut

6.6.0 à 6.6.6, 7.0.0 à 7.7.3, 8.0.0 à 8.6.2

CVE-2019-17558

2019-12-30

Apache Solr RCE via VelocityResponseWriter

Haut

5.0.0 à 8.3.1

Labels
0 Kudos
Reply
1 Reply
angelborroy
Alfresco Employee
‎12 Jun 2024 7:09 AM

Re: Alfresco community edition and Apache Solr 6.6.5 vulnerabilities

We're addressing these vulnerabilities for the next release of Search Services, that will happen in the following weeks.

Screenshot 2024-06-11 at 12 11 12

Just to note, that in relation to your specific list of CVEs the release will be patching CVE-2020-13957, CVE-2023-50386and CVE-2023-50291. Since Alfresco is not using VelocityResponseWriter, CVE-2019-17558 is not being addressed.

 

Despite Elasticsearch/OpenSearch is the current focus of development, Search Services is still live and maintained.

Additionally, there will be a Community aided support for OpenSearch later this year. Details are available in https://github.com/AlfrescoLabs/alfresco-lisbon-hack-a-thon-2024?tab=readme-ov-file#projects

Please, let me know if you need additional information.

Hyland Developer Evangelist
0 Kudos
Reply
Alfresco Content Services Forum

Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.

Related links:

We use cookies on this site to enhance your user experience

By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods).   If you are not ok with these terms, please do not use this website.