Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Apache Solr potentially vulnerable to authentication bypass #700

Closed
christian-heusel opened this issue Oct 15, 2024 · 2 comments
Closed
Assignees
Labels
dependencies Pull requests that update a dependency file

Comments

@christian-heusel
Copy link
Member

christian-heusel commented Oct 15, 2024

FYI:

I'm opening this as a public issue since my understanding is that these issues were responsibly disclosed 😊

@Splines
Copy link
Member

Splines commented Oct 16, 2024

Thanks for pointing this out. In the production dockerfile, we use image: solr:8.11. I have digged too long in the net in order to find some information about docker versioning and found almost nothing. The way I understand it is that Docker performs no automatic minor-updates whatsoever, e.g. if we specify 8.11 it won't automatically update to a patch version 8.11.4. The 8.11 is just a string that refers to a tag for docker.

However, for solr on docker hub the tags 8.11.4, 8.11 and 8 all refer to the same Dockerfile here containing ARG SOLR_VERSION="8.11.4". For me, this means that the images 8.11.4, 8.11 and 8 were patched in hindsight.

Note that at MaMpf, we pull the images for every update, so even without something like Watchtower we should pull the new, patched solr-image automatically the next time we push a release.

To verify that we use the patched version, we should find out the exact image number. My idea would be to get the SHA-digest inside the running container and then check on the solr GitHub repo for that hash via the docker inspect command like described here. Or do you know by chance a simpler solution? I couldn't find the "digest ..." line in our logs.

@Splines Splines added the dependencies Pull requests that update a dependency file label Oct 17, 2024
@Splines Splines self-assigned this Oct 17, 2024
@Splines
Copy link
Member

Splines commented Dec 13, 2024

So finally, I've digged deeper to find out how to update the container in our infrastructure and successfully updated to version 8.11.4. Sorry for the long delay and thanks for raising awareness of this issue.

@Splines Splines closed this as completed Dec 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

No branches or pull requests

2 participants