Apache Solr potentially vulnerable to authentication bypass

[christian-heusel]

FYI:

• https://www.openwall.com/lists/oss-security/2024/10/15/9
• https://www.openwall.com/lists/oss-security/2024/10/15/8

I'm opening this as a public issue since my understanding is that these issues were responsibly disclosed 😊

[Splines]

Thanks for pointing this out. In the production dockerfile, we use image: solr:8.11. I have digged too long in the net in order to find some information about docker versioning and found almost nothing. The way I understand it is that Docker performs no automatic minor-updates whatsoever, e.g. if we specify 8.11 it won't automatically update to a patch version 8.11.4. The 8.11 is just a string that refers to a tag for docker.

However, for solr on docker hub the tags 8.11.4, 8.11 and 8 all refer to the same Dockerfile here containing ARG SOLR_VERSION="8.11.4". For me, this means that the images 8.11.4, 8.11 and 8 were patched in hindsight.

Note that at MaMpf, we pull the images for every update, so even without something like Watchtower we should pull the new, patched solr-image automatically the next time we push a release.

To verify that we use the patched version, we should find out the exact image number. My idea would be to get the SHA-digest inside the running container and then check on the solr GitHub repo for that hash via the docker inspect command like described here. Or do you know by chance a simpler solution? I couldn't find the "digest ..." line in our logs.