Update VEX file with false positives#173
Conversation
| "analysis": { | ||
| "state": "not_affected", | ||
| "justification": "requires_configuration", | ||
| "detail": "All five CVEs require non-default Log4j layout or appender configurations that Solr does not use. CVE-2026-34480 affects XmlLayout (Solr uses PatternLayout). CVE-2026-34478 affects Rfc5424Layout with TCP/TLS syslog framing (Solr does not configure a SyslogAppender with TCP framing). CVE-2026-34477 is an incomplete fix for SSL hostname verification in SMTP/Socket/Syslog appenders — Solr does not configure these appenders with TLS. CVE-2026-34479 affects Log4j1XmlLayout in the 1.x bridge (Solr does not use Log4j 1.x XML layout). CVE-2026-34481 affects JsonTemplateLayout when logging MapMessage with attacker-controlled floating-point values — Solr does not use JsonTemplateLayout. Solr's default log configuration uses PatternLayout and does not include any of the affected appender/layout types." |
There was a problem hiding this comment.
Confirmed: these vulnerabilities impact a very small number of users and Solr is not one of them.
I will run the VEX Generator for the remaining ones in the weekend, but the explanations look plausible.
|
@janhoy I update the justification to match out CycloneDX choices. @ppkarwasz i think you vlaidated the change, so I think this could be merged? |
|
should this be run for Solr 9.8 or 9.10? |
|
I only double-checked the Log4j Core vulnerabilities in an IDE, but the rest also looks plausible. |
|
This PR is now pretty out of date with the other changes... @janhoy if you think the vex entries that turned up make sense, I'd volunteer to at least get those entries from |
3 participants
LLM generated, please review.
I tasked Claude Code with running
docker scoutand analyzing each CVE for exploitability in Solr 10.0. For each CVE that the LLM is fairly certain is a false positive, I told it to update the VEX file. This PR is the result.