https://bugzilla.redhat.com/show_bug.cgi?id=1501529
--- Comment #12 from Stefan Cornelius <scorneli(a)redhat.com> ---
Statement:
The following products are not affected by this flaw, as they do not use the
vulnerable functionality of either aspect of the issue.
Red Hat JBoss Enterprise Application Platform 6
Red Hat JBoss BPM Suite
Red Hat JBoss BRMS
Red Hat JBoss Enterprise Application Platform 7 is not affected by this flaw.
However, it does ship the vulnerable Lucene class in a dependency to another
component. Customers who reuse the lucene-queryparser jar in their applications
may be vulnerable to the External Entity Expansion aspect of this flaw. This
will be patched in a forthcoming release.
Red Hat JBoss Fuse is not affected by this flaw, as it does not use the
vulnerable functionality of either aspect of this flaw. Fuse customers who may
be running external Solr servers, while not affected from the Fuse side, are
advised to secure their Solr servers as recommended in the mitigation provided.
The following products ship only the Lucene components relevant to this flaw,
and are not vulnerable to the second portion of the vulnerability, the code
execution exploit. As such, the impact of this flaw has been determined to be
Moderate for these respective products:
Red Hat JBoss Data Grid 7
Red Hat Single Sign-On 7
Red Hat Enterprise Linux 6
Red Hat Software Collections 2.4
Red Hat JBoss Portal Platform 6 ships only the Solr components relevant to this
flaw, and is not vulnerable to the first portion of the vulnerability, the
external entity expansion. As such, the impact of this flaw has been determined
to be Moderate for this product. Customers are advised to disable changes to
the Config API until a component fix is available; see mitigation text for
details.
This issue did not affect the versions of lucene as shipped with Red Hat
Enterprise Linux 5.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1501529
--- Comment #11 from Chess Hazlett <chazlett(a)redhat.com> ---
Statement:
The following products are not affected by this flaw, as they do not use the
vulnerable functionality of either aspect of the issue.
Red Hat JBoss Enterprise Application Platform 6
Red Hat JBoss BPM Suite
Red Hat JBoss BRMS
Red Hat JBoss Enterprise Application Platform 7 is not affected by this flaw.
However, it does ship the vulnerable Lucene class in a dependency to another
component. Customers who reuse the lucene-queryparser jar in their applications
may be vulnerable to the External Entity Expansion aspect of this flaw. This
will be patched in a forthcoming release.
Red Hat JBoss Fuse is not affected by this flaw, as it does not use the
vulnerable functionality of either aspect of this flaw. Fuse customers who may
be running external Solr servers, while not affected from the Fuse side, are
advised to secure their Solr servers as recommended in the mitigation provided.
The following products ship only the Lucene components relevant to this flaw,
and are not vulnerable to the second portion of the vulnerability, the code
execution exploit. As such, the impact of this flaw has been determined to be
Moderate for these respective products:
Red Hat JBoss Data Grid 7
Red Hat Single Sign-On 7
Red Hat JBoss Portal Platform 6 ships only the Solr components relevant to this
flaw, and is not vulnerable to the first portion of the vulnerability, the
external entity expansion. As such, the impact of this flaw has been determined
to be Moderate for this product. Customers are advised to disable changes to
the Config API until a component fix is available; see mitigation text for
details.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1501529
Jakub Svoboda <jsvoboda(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |1501772
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1501529
Andrej Nemec <anemec(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends On| |1501840, 1501838, 1501839,
| |1501841
--- Comment #9 from Andrej Nemec <anemec(a)redhat.com> ---
Created lucene tracking bugs for this issue:
Affects: fedora-all [bug 1501838]
Created lucene3 tracking bugs for this issue:
Affects: fedora-all [bug 1501840]
Created lucene4 tracking bugs for this issue:
Affects: fedora-all [bug 1501841]
Created solr3 tracking bugs for this issue:
Affects: fedora-all [bug 1501839]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1501838
[Bug 1501838] CVE-2017-12629 lucene: Solr: Code execution via entity
expansion [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1501839
[Bug 1501839] CVE-2017-12629 solr3: Solr: Code execution via entity
expansion [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1501840
[Bug 1501840] CVE-2017-12629 lucene3: Solr: Code execution via entity
expansion [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1501841
[Bug 1501841] CVE-2017-12629 lucene4: Solr: Code execution via entity
expansion [fedora-all]
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1501529
Clifford Perry <cperry(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |cperry(a)redhat.com
--
You are receiving this mail because:
You are on the CC list for the bug.