From ad34bfb0a57a0cb9c0f375bb82544f6b20fe53d3 Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Mon, 4 Aug 2025 15:39:49 +0200 Subject: [PATCH 1/2] [SOLR-17822] Document non-exploitability of CVE-2025-48924 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This update documents that CVE-2025-48924 is **not exploitable** in Apache Solr, based on detailed dependency analysis and code path evaluation. ### Summary Although Solr includes the vulnerable **Commons Lang** library and transitive dependencies such as **Commons Text** and **Commons Configuration**, the conditions required for exploitation are **not met** in any Solr execution paths. ### Detailed Analysis * The vulnerable Commons Lang functionality is only exercised via **Commons Text**. * According to the [Apache Commons Text VEX document](https://raw.githubusercontent.com/apache/commons-text/refs/heads/master/src/conf/security/VEX.cyclonedx.xml), exploitation is limited to the use of **`StringSubstitutor`** and **`StringLookup`**. * These classes are **not used directly** in Solr’s codebase. * Commons Text is only included in two Solr modules: * `solr-sql` * `solr-hadoop-auth` * Neither module makes any direct or indirect use of the vulnerable classes. * The only dependency that uses these classes is **Commons Configuration**, which is pulled in transitively via **Hadoop**. * Specifically, it is used by the `MetricsConfig` class in the `hadoop-common` library. * This code path parses only the `hadoop-metrics2.properties` file, which is considered a **trusted configuration file**, typically provided by the system administrator. As a result, the vulnerable expression interpolation logic is **never invoked with untrusted input**, and Solr **does not meet the conditions for exploitability** outlined in the [Apache Commons Configuration VEX document](https://raw.githubusercontent.com/apache/commons-configuration/refs/heads/master/src/conf/security/VEX.cyclonedx.xml). ### References * [Apache Commons Text VEX document](https://raw.githubusercontent.com/apache/commons-text/refs/heads/master/src/conf/security/VEX.cyclonedx.xml) * [Apache Commons Configuration VEX document](https://raw.githubusercontent.com/apache/commons-configuration/refs/heads/master/src/conf/security/VEX.cyclonedx.xml) --- vex-input.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/vex-input.json b/vex-input.json index 2a376ef98..c43a4bf52 100644 --- a/vex-input.json +++ b/vex-input.json @@ -1,4 +1,18 @@ [ + { + "ids": [ + "CVE-2025-48924" + ], + "versions": "9.0.0\u20139.9.0", + "jars": [ + "commons-lang3-.jar" + ], + "analysis": { + "state": "not_affected", + "justification": "code_not_reachable", + "detail": "The vulnerable functionality is only reachable via `commons-configuration2`, which is used in Solr's Hadoop Kerberos support (`solr-hadoop-auth`) to load administrator-provided Hadoop configuration files. As such, the vulnerability is not exploitable in Solr." + } + }, { "ids": [ "CVE-2024-51504" From aa91d0f87a5883aea5741861f517f0a73f903e65 Mon Sep 17 00:00:00 2001 From: Eric Pugh Date: Sun, 21 Jun 2026 15:00:06 -0400 Subject: [PATCH 2/2] Document commons lang vulnerablity --- content/solr/vex/2025-08-04-cve-2025-48924.md | 11 + vex-input.json | 513 ------------------ 2 files changed, 11 insertions(+), 513 deletions(-) create mode 100644 content/solr/vex/2025-08-04-cve-2025-48924.md delete mode 100644 vex-input.json diff --git a/content/solr/vex/2025-08-04-cve-2025-48924.md b/content/solr/vex/2025-08-04-cve-2025-48924.md new file mode 100644 index 000000000..22cbfd3c5 --- /dev/null +++ b/content/solr/vex/2025-08-04-cve-2025-48924.md @@ -0,0 +1,11 @@ +--- +cve: CVE-2025-48924 +category: + - solr/vex +versions: "9.0.0-9.9.0" +analysis: + state: not_affected + justification: "code_not_reachable" +title: "commons-lang3-.jar" +--- +The vulnerable functionality is only reachable via `commons-configuration2`, which is used in Solr's Hadoop Kerberos support (`solr-hadoop-auth`) to load administrator-provided Hadoop configuration files. As such, the vulnerability is not exploitable in Solr. diff --git a/vex-input.json b/vex-input.json deleted file mode 100644 index c43a4bf52..000000000 --- a/vex-input.json +++ /dev/null @@ -1,513 +0,0 @@ -[ - { - "ids": [ - "CVE-2025-48924" - ], - "versions": "9.0.0\u20139.9.0", - "jars": [ - "commons-lang3-.jar" - ], - "analysis": { - "state": "not_affected", - "justification": "code_not_reachable", - "detail": "The vulnerable functionality is only reachable via `commons-configuration2`, which is used in Solr's Hadoop Kerberos support (`solr-hadoop-auth`) to load administrator-provided Hadoop configuration files. As such, the vulnerability is not exploitable in Solr." - } - }, - { - "ids": [ - "CVE-2024-51504" - ], - "versions": "9.4.0\u20139.8.1", - "jars": [ - "zookeeper-3.9.0.jar", - "zookeeper-3.9.1.jar", - "zookeeper-3.9.2.jar" - ], - "analysis": { - "state": "not_affected", - "justification": "requires_configuration", - "detail": "Solr production deployments are unlikely to be affected.\nExploitation requires Solr to run in SolrCloud mode with the embedded (non-production) Zookeeper server.\nIt also requires the Zookeeper Admin Server to be manually enabled in the configuration." - } - }, - { - "ids": [ - "CVE-2024-6763" - ], - "versions": "< 9.8", - "jars": [ - "jetty-http-10.0.22.jar" - ], - "analysis": { - "state": "not_affected", - "detail": "Solr does not use the Jetty \"HttpURI\" utility class necessary for the vulnerability." - } - }, - { - "ids": [ - "CVE-2022-33980" - ], - "versions": "< 9.1", - "jars": [ - "commons-configuration2-2.7.jar" - ], - "analysis": { - "state": "not_affected", - "detail": "Solr uses commons-configuration2 for \"hadoop-auth\" only (for Kerberos). It is only used for loading Hadoop configuration files that would only ever be provided by trusted administrators, not externally (untrusted)." - } - }, - { - "ids": [ - "CVE-2022-42889" - ], - "versions": "< 9.1", - "jars": [ - "commons-text-1.9.jar" - ], - "analysis": { - "state": "not_affected", - "detail": "Solr uses commons-text directly (StringEscapeUtils.escapeEcmaScript) in LoadAdminUiServlet that is not vulnerable. Solr also has a \"hadoop-auth\" module that uses Apache Hadoop which uses commons-text through commons-configuration2. For Solr, the concern is limited to loading Hadoop configuration files that would only ever be provided by trusted administrators, not externally (untrusted)." - } - }, - { - "ids": [ - "CVE-2022-25168" - ], - "versions": "< 9.1", - "jars": [ - "hadoop-common-3.2.2.jar" - ], - "analysis": { - "state": "not_affected", - "detail": "The vulnerable code won't be used by Solr because Solr only is only using HDFS as a client." - } - }, - { - "ids": [ - "CVE-2021-44832" - ], - "versions": "7.4-8.11.1", - "jars": [ - "log4j-core-2.14.1.jar", - "log4j-core-2.16.0.jar" - ], - "analysis": { - "state": "not_affected", - "detail": "Solr's default log configuration doesn't use JDBCAppender and we don't imagine a user would want to use it or other obscure appenders." - } - }, - { - "ids": [ - "CVE-2021-45105", - "CVE-2021-45046" - ], - "versions": "7.4-8.11.1", - "jars": [ - "log4j-core-2.14.1.jar", - "log4j-core-2.16.0.jar" - ], - "analysis": { - "state": "not_affected", - "detail": "The MDC data used by Solr are for the collection, shard, replica, core and node names, and a potential trace id, which are all sanitized. Furthermore, Solr's default log configuration doesn't use double-dollar-sign and we don't imagine a user would want to do that." - } - }, - { - "ids": [ - "CVE-2020-13955" - ], - "versions": "8.1.0- today", - "jars": [ - "avatica-core-1.13.0.jar", - "calcite-core-1.18.0.jar" - ], - "analysis": { - "state": "not_affected", - "detail": "Solr's SQL adapter does not use the vulnerable class \"HttpUtils\". Calcite only used it to talk to Druid or Splunk." - } - }, - { - "ids": [ - "CVE-2018-10237" - ], - "versions": "5.4.0-today", - "jars": [ - "carrot2-guava-18.0.jar" - ], - "analysis": { - "state": "not_affected", - "detail": "Only used with the Carrot2 clustering engine." - } - }, - { - "ids": [ - "CVE-2014-0114" - ], - "versions": "4.9.0-7.5.0", - "jars": [ - "commons-beanutils-1.8.3.jar" - ], - "analysis": { - "state": "not_affected", - "detail": "This is only used at compile time and it cannot be used to attack Solr. Since it is generally unnecessary, the dependency has been removed as of 7.5.0. See SOLR-12617." - } - }, - { - "ids": [ - "CVE-2019-10086" - ], - "versions": "8.0.0-8.3.0", - "jars": [ - "commons-beanutils-1.9.3.jar" - ], - "analysis": { - "state": "not_affected", - "detail": "While commons-beanutils was removed in 7.5, it was added back in 8.0 in error and removed again in 8.3. The vulnerable class was not used in any Solr code path. This jar remains a dependency of both Velocity and hadoop-common, but Solr does not use it in our implementations." - } - }, - { - "ids": [ - "CVE-2012-2098", - "CVE-2018-1324", - "CVE-2018-11771" - ], - "versions": "4.6.0-today", - "jars": [ - "commons-compress (only as part of Ant 1.8.2)" - ], - "analysis": { - "state": "not_affected", - "detail": "Only used in test framework and at build time." - } - }, - { - "ids": [ - "CVE-2018-1000632" - ], - "versions": "4.6.0-today", - "jars": [ - "dom4j-1.6.1.jar" - ], - "analysis": { - "state": "not_affected", - "detail": "Only used in Solr tests." - } - }, - { - "ids": [ - "CVE-2018-10237" - ], - "versions": "4.6.0-today", - "jars": [ - "guava-*.jar" - ], - "analysis": { - "state": "not_affected", - "detail": "Only used in tests." - } - }, - { - "ids": [ - "CVE-2017-15718" - ], - "versions": "6.6.1-7.6.0", - "jars": [ - "hadoop-auth-2.7.4.jar", - "hadoop-hdfs-2.7.4.jar (all Hadoop)" - ], - "analysis": { - "state": "not_affected", - "detail": "Does not impact Solr because Solr uses Hadoop as a client library." - } - }, - { - "ids": [ - "CVE-2017-14952" - ], - "versions": "6.0.0-7.5.0", - "jars": [ - "icu4j-56.1.jar", - "icu4j-59.1.jar" - ], - "analysis": { - "state": "not_affected", - "detail": "Issue applies only to the C++ release of ICU and not ICU4J, which is what Lucene uses. ICU4J is at v63.2 as of Lucene/Solr 7.6.0" - } - }, - { - "ids": [ - "CVE-2017-15095", - "CVE-2017-17485", - "CVE-2017-7525", - "CVE-2018-5968", - "CVE-2018-7489", - "CVE-2019-12086", - "CVE-2019-12384", - "CVE-2018-12814", - "CVE-2019-14379", - "CVE-2019-14439", - "CVE-2020-35490", - "CVE-2020-35491", - "CVE-2021-20190", - "CVE-2019-14540", - "CVE-2019-16335" - ], - "versions": "4.7.0-today", - "jars": [ - "jackson-databind-*.jar" - ], - "analysis": { - "state": "not_affected", - "detail": "These CVEs, and most of the known jackson-databind CVEs since 2017, are all related to problematic 'gadgets' that could be exploited during deserialization of untrusted data. The Jackson developers described 4 conditions that must be met in order for a problematic gadget to be exploited. See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062. Solr's use of jackson-databind does not meet 1 of the 4 conditions described which makes these CVEs unexploitable. The specific condition that Solr does not meet is the 3rd one: 'Enable polymorphic type handling' Solr does not include any polymorphic type handling, and Solr does not configure jackson-databind de/serialization to expect or include class names in serialized JSON. Two CVEs, 2019-14540 & 2019-16335, are related to HikariConfig and HikariDataSource classes, neither of which are used in Solr's code base." - } - }, - { - "ids": [ - "CVE-2019-10241", - "CVE-2019-10247" - ], - "versions": "7.7.0-8.2", - "jars": [ - "jetty-9.4.14" - ], - "analysis": { - "state": "not_affected", - "detail": "Solr upgraded to Jetty 9.4.19 for the 8.2 release. Additionally, the path to exploit these vulnerabilities was fixed in 8.1 and 7.7.2. Earlier versions can manually patch their configurations as described in SOLR-13409." - } - }, - { - "ids": [ - "CVE-2020-27218" - ], - "versions": "7.3.0-8.8.0", - "jars": [ - "jetty-9.4.0 to 9.4.34" - ], - "analysis": { - "state": "not_affected", - "detail": "Only exploitable through use of Jetty's GzipHandler, which is only implemented in Embedded Solr Server." - } - }, - { - "ids": [ - "CVE-2020-27223" - ], - "versions": "7.3.0-present", - "jars": [ - "jetty-9.4.6 to 9.4.36" - ], - "analysis": { - "state": "not_affected", - "detail": "Only exploitable if Solr's webapp directory is deployed as a symlink, which is not Solr's default." - } - }, - { - "ids": [ - "CVE-2021-33813" - ], - "versions": "to present", - "jars": [ - "jdom-*.jar" - ], - "analysis": { - "state": "not_affected", - "detail": "JDOM is only used in Solr Cell, which should not be used in production which makes the vulnerability unexploitable. It is a dependency of Apache Tika, which has analyzed the issue and determined the vulnerability is limited to two libraries not commonly used in search applications, see TIKA-3488 for details. Since Tika should be used outside of Solr, use a version of Tika which updates the affected libraries if concerned about exposure to this issue." - } - }, - { - "ids": [ - "CVE-2018-1000056" - ], - "versions": "4.6.0-7.6.0", - "jars": [ - "junit-4.10.jar" - ], - "analysis": { - "state": "not_affected", - "detail": "JUnit only used in tests; CVE only refers to a Jenkins plugin not used by Solr." - } - }, - { - "ids": [ - "CVE-2014-7940", - "CVE-2016-6293", - "CVE-2016-7415", - "CVE-2017-14952", - "CVE-2017-17484", - "CVE-2017-7867", - "CVE-2017-7868" - ], - "versions": "7.3.1", - "jars": [ - "lucene-analyzers-icu-7.3.1.jar" - ], - "analysis": { - "state": "not_affected", - "detail": "All of these issues apply to the C++ release of ICU and not ICU4J, which is what Lucene uses." - } - }, - { - "ids": [ - "CVE-2019-16869" - ], - "versions": "8.2-8.3", - "jars": [ - "netty-all-4.1.29.Final.jar" - ], - "analysis": { - "state": "not_affected", - "detail": "This is not included in Solr but is a dependency of ZooKeeper 3.5.5. The version was upgraded in ZooKeeper 3.5.6, included with Solr 8.3. The specific classes mentioned in the CVE are not used in Solr (nor in ZooKeeper as far as the Solr community can determine)." - } - }, - { - "ids": [ - "CVE-2017-14868", - "CVE-2017-14949" - ], - "versions": "5.2.0-today", - "jars": [ - "org.restlet-2.3.0.jar" - ], - "analysis": { - "state": "not_affected", - "detail": "Solr should not be exposed outside a firewall where bad actors can send HTTP requests. These two CVEs specifically involve classes (SimpleXMLProvider and XmlRepresentation, respectively) that Solr does not use in any code path." - } - }, - { - "ids": [ - "CVE-2015-5237" - ], - "versions": "6.5.0-today", - "jars": [ - "protobuf-java-3.1.0.jar" - ], - "analysis": { - "state": "not_affected", - "detail": "Dependency for Hadoop and Calcite. ??" - } - }, - { - "ids": [ - "CVE-2018-1471" - ], - "versions": "5.4.0-7.7.2, 8.0-8.3", - "jars": [ - "simple-xml-2.7.1.jar" - ], - "analysis": { - "state": "not_affected", - "detail": "Dependency of Carrot2 and used during compilation, not at runtime (see SOLR-769. This .jar was replaced in Solr 8.3 and backported to 7.7.3 (see SOLR-13779)." - } - }, - { - "ids": [ - "CVE-2018-8088" - ], - "versions": "4.x-today", - "jars": [ - "slf4j-api-1.7.24.jar", - "jcl-over-slf4j-1.7.24.jar", - "jul-to-slf4j-1.7.24.jar" - ], - "analysis": { - "state": "not_affected", - "detail": "The reported CVE impacts org.slf4j.ext.EventData, which is not used in Solr." - } - }, - { - "ids": [ - "CVE-2018-1335" - ], - "versions": "7.3.1-7.5.0", - "jars": [ - "tika-core.1.17.jar" - ], - "analysis": { - "state": "not_affected", - "detail": "Solr does not run tika-server, so this is not a problem." - } - }, - { - "ids": [ - "CVE-" - ], - "versions": "7.3.1-today", - "jars": [ - "tika-core.*.jar" - ], - "analysis": { - "state": "not_affected", - "detail": "All Tika issues that could be Solr vulnerabilities would only be exploitable if untrusted files are indexed with SolrCell. This is not recommended in production systems, so Solr does not consider these valid CVEs for Solr." - } - }, - { - "ids": [ - "CVE-" - ], - "versions": "6.6.2-today", - "jars": [ - "velocity-tools-2.0.jar" - ], - "analysis": { - "state": "not_affected", - "detail": "Solr does not ship a Struts jar. This is a transitive POM listing and not included with Solr (see comment in SOLR-2849)." - } - }, - { - "ids": [ - "CVE-2016-6809", - "CVE-2018-1335", - "CVE-2018-1338", - "CVE-2018-1339" - ], - "versions": "5.5.5, 6.2.0-today", - "jars": [ - "vorbis-java-tika-0.8.jar" - ], - "analysis": { - "state": "not_affected", - "detail": "See https://github.com/Gagravarr/VorbisJava/issues/30; reported CVEs are not related to OggVorbis at all." - } - }, - { - "ids": [ - "CVE-2012-0881" - ], - "versions": "~2.9-today", - "jars": [ - "xercesImpl-2.9.1.jar" - ], - "analysis": { - "state": "not_affected", - "detail": "Only used in Lucene Benchmarks and Solr tests." - } - }, - { - "ids": [ - "CVE-2022-39135" - ], - "versions": "6.5-8.11.2, 9.0", - "jars": [ - "calcite-1.31.0.jar" - ], - "analysis": { - "state": "exploitable", - "response": [ - "update" - ], - "detail": "Apache Calcite has a vulnerability, CVE-2022-39135, that is exploitable in Apache Solr in SolrCloud mode. If an untrusted user can supply SQL queries to Solr's '/sql' handler (even indirectly via proxies / other apps), then the user could perform an XML External Entity (XXE) attack. This might have been exposed by some deployers of Solr in order for internal analysts to use JDBC based tooling, but would have unlikely been granted to wider audiences." - } - }, - { - "ids": [ - "CVE-2023-51074", - "GHSA-pfh2-hfmq-phg5" - ], - "versions": "all", - "jars": [ - "json-path-2.8.0.jar" - ], - "analysis": { - "state": "not_affected", - "detail": "The only places we use json-path is for querying (via Calcite) and for transforming/indexing custom JSON. Since the advisory describes a problem that is limited to the current thread, and users that are allowed to query/transform/index are already trusted to cause load to some extent, this advisory does not appear to have impact on the way json-path is used in Solr." - } - } -]