CVE-2023-2976 bitnami/solr:latest fix

[varsha-rav]

Platform

Installers

bndiagnostic ID know more about bndiagnostic ID

NA

bndiagnostic output

solr-bitnami-latest.csv

bndiagnostic was not useful. Could you please tell us why?

Not related

Describe your issue as much as you can

Hi we're using bitnami/solr latest in our application and were made aware of an open vulnerability - CVE-2023-2976 (report attached) for package com.google.guava_guava which is fixed in version 32.0.0. Current version in latest bitnami image is 30.1.1-jre.
Can we please have an ETA as to when this CVE will be fixed as this is an overdue vulnerability in our redhat openshift cluster ?
Thanks

[gongomgra]

Hi @varsha-rav,

Thanks for using Bitnami. I have checked the same bitnami/solr:latest image with sha256:3ad13caa55bed205031d548926ef5fa5393897da59703f2eec5afdf1401709dd that you are using and it is true that CVE is listed as fixable

$ trivy image --vuln-type library bitnami/solr:latest
2024-07-02T09:51:42+02:00       INFO    Vulnerability scanning is enabled
2024-07-02T09:51:42+02:00       INFO    Secret scanning is enabled
2024-07-02T09:51:42+02:00       INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-02T09:51:42+02:00       INFO    Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-07-02T09:51:42+02:00       INFO    Number of language-specific files       num=3
2024-07-02T09:51:42+02:00       INFO    [bitnami] Detecting vulnerabilities...
2024-07-02T09:51:42+02:00       INFO    [jar] Detecting vulnerabilities...
2024-07-02T09:51:42+02:00       INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Java (jar)

Total: 8 (UNKNOWN: 0, LOW: 1, MEDIUM: 7, HIGH: 0, CRITICAL: 0)

┌───────────────────────────────────────────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│                          Library                          │ Vulnerability  │ Severity │  Status  │ Installed Version │ Fixed Version  │                            Title                            │
├───────────────────────────────────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ com.google.guava:guava (hadoop-shaded-guava-1.1.1.jar)    │ CVE-2023-2976  │ MEDIUM   │ fixed    │ 30.1.1-jre        │ 32.0.0-android │ guava: insecure temporary directory creation                │
│                                                           │                │          │          │                   │                │ https://avd.aquasec.com/nvd/cve-2023-2976                   │
│                                                           ├────────────────┼──────────┤          │                   │                ├─────────────────────────────────────────────────────────────┤
│                                                           │ CVE-2020-8908  │ LOW      │          │                   │                │ guava: local information disclosure via temporary directory │
│                                                           │                │          │          │                   │                │ created with unsafe permissions                             │
│                                                           │                │          │          │                   │                │ https://avd.aquasec.com/nvd/cve-2020-8908                   │
├───────────────────────────────────────────────────────────┼────────────────┼──────────┤          ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ org.apache.james:apache-mime4j-core                       │ CVE-2024-21742 │ MEDIUM   │          │ 0.8.4             │ 0.8.10         │ : Apache James Mime4J: Mime4J DOM header injection          │
│ (apache-mime4j-core-0.8.4.jar)                            │                │          │          │                   │                │ https://avd.aquasec.com/nvd/cve-2024-21742                  │
├───────────────────────────────────────────────────────────┼────────────────┤          │          ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ org.apache.zookeeper:zookeeper (zookeeper-3.9.1.jar)      │ CVE-2024-23944 │          │          │ 3.9.1             │ 3.8.4, 3.9.2   │ Information disclosure in persistent watchers handling in   │
│                                                           │                │          │          │                   │                │ Apache ZooKe ...                                            │
│                                                           │                │          │          │                   │                │ https://avd.aquasec.com/nvd/cve-2024-23944                  │
├───────────────────────────────────────────────────────────┼────────────────┤          ├──────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ org.bouncycastle:bcprov-jdk15on (bcprov-jdk15on-1.70.jar) │ CVE-2023-33201 │          │ affected │ 1.70              │                │ bouncycastle: potential blind LDAP injection attack using a │
│                                                           │                │          │          │                   │                │ self-signed certificate                                     │
│                                                           │                │          │          │                   │                │ https://avd.aquasec.com/nvd/cve-2023-33201                  │
│                                                           ├────────────────┤          ├──────────┤                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                                                           │ CVE-2024-29857 │          │ fixed    │                   │ 1.78           │ org.bouncycastle: Importing an EC certificate with crafted  │
│                                                           │                │          │          │                   │                │ F2m parameters may lead to...                               │
│                                                           │                │          │          │                   │                │ https://avd.aquasec.com/nvd/cve-2024-29857                  │
│                                                           ├────────────────┤          │          │                   │                ├─────────────────────────────────────────────────────────────┤
│                                                           │ CVE-2024-30171 │          │          │                   │                │ bc-java: BouncyCastle vulnerable to a timing variant of     │
│                                                           │                │          │          │                   │                │ Bleichenbacher (Marvin Attack)                              │
│                                                           │                │          │          │                   │                │ https://avd.aquasec.com/nvd/cve-2024-30171                  │
│                                                           ├────────────────┤          │          │                   │                ├─────────────────────────────────────────────────────────────┤
│                                                           │ CVE-2024-30172 │          │          │                   │                │ org.bouncycastle:bcprov-jdk18on: Infinite loop in ED25519   │
│                                                           │                │          │          │                   │                │ verification in the ScalarUtil class                        │
│                                                           │                │          │          │                   │                │ https://avd.aquasec.com/nvd/cve-2024-30172                  │
└───────────────────────────────────────────────────────────┴────────────────┴──────────┴──────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

As shown above, the issue affects the hadoop-shaded-guava-1.1.1.jar file, which is included in our image. However, we do not have control on the version that the Solr application requires of this component. It is defined by Solr developers in their versions.lock file, for which you can find an abstract below

org.apache.hadoop:hadoop-common:3.3.6 (1 constraints: 0e050936)
org.apache.hadoop.thirdparty:hadoop-shaded-guava:1.1.1 (1 constraints: 0505f435)
org.apache.httpcomponents:httpclient:4.5.14 (9 constraints: 62806342)

You will have to report it to Solr developers and ask them to release a new version of their application including a fix for the CVE. Hope it helps!