FileCloud Security Response Notifications

FileCloud VersionsComponentRelated CVEsDate AddedStatus and Notes
<21.3.7Solr - Apache Commons TextCVE-2022-4288920 Oct 2022Solr uses commons-text directly (StringEscapeUtils.escapeEcmaScript) in LoadAdminUiServlet that is not vulnerable. Solr also has a "hadoop-auth" module that uses Apache Hadoop which uses commons-text through commons-configuration2. For Solr, the concern is limited to loading Hadoop configuration files that would only ever be provided by trusted administrators, not externally (untrusted).
< Nov 2022Apache Calcite has a vulnerability, CVE-2022-39135, that is exploitable in Apache Solr in SolrCloud mode. If an untrusted user can supply SQL queries to Solr’s “/sql” handler (even indirectly via proxies/other apps), then the user could perform an XML External Entity (XXE) attack.
Mitigation : If, like most Solr installations, yours does not use SQL functionality, you can follow the standard Solr security advice of using a firewall. If your Solr installation does use SQL functionality, refer to to disable it.
NOTE: FileCloud does not make Solr publicly available by default. FileCloud does not use SolrCloud, and SolrCloud is not publicly available by default.