Optimizely
SearchStax Solr Deployments Are Not Vulnerable to CVE-2022-42889 and CVE-2022-33890
October 24, 2022
Dipsy Kapoor
|
If you follow Apache Software Foundation community news, there were two critical Common Vulnerabilities and Exposures (CVEs) that have been recently published in the National Vulnerability Database (NVD).
The CVEs are CVE-2022-42889 and CVE-2022-33980, and both have a severity score of 9.8. We want to let our SearchStax Cloud customers know that SearchStax Solr deployments are not vulnerable to either of these CVEs.
If you are interested in learning more about these CVEs, here is a brief description and links to further information.
CVE-2022-42889 – Apache Commons-Text Libraries
CVE-2022-42889 affects the Apache commons-text libraries from 1.5 to 1.10.0. Solr Security Scanning Tools Site reports that Solr uses commons-text directly in LoadAdminUiServelt that is not vulnerable. Solr’s “hadoop-auth” module also uses commons-text.
SearchStax Solr deployments do not use this Hadoop Authorization Module and are not vulnerable to CVE-2022-42899.
CVE-2022-3380 – Apache Commons Configuration Libraries
The other vulnerability CVE-2022-33890 affects the Apache commons configuration libraries 2.4 through 2.7. Solr uses commons-configuration2 for “hadoop-auth” only as again reported by Solr Security Scanning Tools Site.
SearchStax Solr deployments do not use this Hadoop Authorization Module and are not vulnerable to CVE-2022-42899.
If you are a SearchStax customer and have any further questions, please contact your Customer Success manager.
Dipsy brings over a decade of large scale search, data alignment, integration, and machine learning experience in building cloud-based software applications. Prior to joining SearchStax, Dipsy worked with both federal and commercial organizations delivering high-value results using big data and machine learning technologies in cloud environments. Dipsy earned her M.S. in Computer Science from the University of Southern California.
