From time to time, the Apache community announces a new security vulnerability (CVE) that impacts Solr. SearchStax carefully evaluates each threat and takes appropriate action to safeguard our clients. (See the Solr Security News for a comprehensive list of CVEs that have impacted Solr.)
The actions taken by SearchStax depend on the details of the CVE. Many CVEs do not impact the SearchStax Managed Search service, or exploit Solr features that SearchStax deployments do not use. Others are blocked by security features (IP Filtering and Basic Auth) that are routinely applied in SearchStax deployments. In rare cases, SearchStax has modified Solr configuration files for specific versions of Solr to prevent exploits in those versions. SearchStax does not offer Solr versions that have uncorrectable vulnerabilities.
Our actions are detailed in blog posts and documentation pages. If you have any further questions, please contact support@searchstax.com.
- CVE-2024-45217 and CVE-2024-4516 – Affecting deployments using Solr 6.6.0 through 8.11.3 or Solr 9.0.0 through 9.6.0. IP FIltering and Basic Authentication provide mitigation. Upgrades to Solr 8.11.4 or Solr 9.7.0 are available. See our blog post for details.
- CVE-2024-3094 – Searchstax systems are deployed on Ubuntu. No released versions of Ubuntu were affected by this issue.
- CVE-2023-2650 – SearchStax does not use explicit client authentication with SSL Certificates, and because peer certificate chains have a limit of 100KiB, that customer Solr deployments using Application Gateways or NGINX servers are not susceptible to the denial of service impact reported in the security advisory.
- CVE-2023-0286 – SearchStax Infrastructure and our Solr Cloud deployments do not utilize CRL checking and are not vulnerable to CVE-2023-0286.
- CVE-2022-39135 – SearchStax Cloud – Recommended Mitigation for Solr Vulnerability from CVE-2022-39135
- CVE-2022-42889 and CVE-2022-33980 – SearchStax Solr Deployments Are Not Vulnerable to CVE-2022-42889 and CVE-2022-33890
- CVE-2021-45046 and CVE-2021-45105 – Mentioned in How SearchStax is Handling CVE-2021-44228 / Log4j Flaw Vulnerability for Solr
- CVE-2021-44228 – How SearchStax is Handling CVE-2021-44228 / Log4j Flaw Vulnerability for Solr and What is an LDAP Error?
- CVE-2020-13957 – New Vulnerability Identified in Apache Solr — CVE-2020-13957 and Why is the Configset API disabled?
- CVE-2019-0192 – Why is the Config API disabled?
- CVE-2017-12629 – Apache Solr CVE-2017-12629 Security Vulnerability and Response
- Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) – See How to Protect your Apache Solr Cluster against the Meltdown and Spectre Vulnerabilities and Meltdown and Spectre Handling for Apache Solr Deployments on SearchStax Cloud.
Questions?
Do not hesitate to contact the SearchStax Support Desk.