FileCloud Security Response Notifications

FileCloud Versions	Component	Related CVEs	Date Added	Status and Notes
<21.3.7	Solr - Apache Commons Text	CVE-2022-42889	20 Oct 2022	Solr uses commons-text directly (StringEscapeUtils.escapeEcmaScript) in LoadAdminUiServlet that is not vulnerable. Solr also has a "hadoop-auth" module that uses Apache Hadoop which uses commons-text through commons-configuration2. For Solr, the concern is limited to loading Hadoop configuration files that would only ever be provided by trusted administrators, not externally (untrusted).
<22.1.0.20845	Solr	CVE-2022-39135	20 Nov 2022	Apache Calcite has a vulnerability, CVE-2022-39135, that is exploitable in Apache Solr in SolrCloud mode. If an untrusted user can supply SQL queries to Solr’s “/sql” handler (even indirectly via proxies/other apps), then the user could perform an XML External Entity (XXE) attack. Mitigation : If, like most Solr installations, yours does not use SQL functionality, you can follow the standard Solr security advice of using a firewall. If your Solr installation does use SQL functionality, refer to https://solr.apache.org/security.html#apache-solr-is-vulnerable-to-cve-2022-39135-via-sql-handler to disable it. NOTE: FileCloud does not make Solr publicly available by default. FileCloud does not use SolrCloud, and SolrCloud is not publicly available by default.