SearchStax Solr Deployments Are Not Vulnerable to CVE-2022-42889 and CVE-2022-33890

Product Announcement - SearchStax Cloud CVE-2022-42889 and CVE-2022-33890

If you follow Apache Software Foundation community news, there were two critical Common Vulnerabilities and Exposures (CVEs) that have been recently published in the National Vulnerability Database (NVD). 

The CVEs are CVE-2022-42889 and CVE-2022-33980, and both have a severity score of 9.8. We want to let our SearchStax Cloud customers know that SearchStax Solr deployments are not vulnerable to either of these CVEs.

If you are interested in learning more about these CVEs, here is a brief description and links to further information.

CVE-2022-42889 – Apache Commons-Text Libraries

CVE-2022-42889 affects the Apache commons-text libraries from 1.5 to 1.10.0. Solr Security Scanning Tools Site reports that Solr uses commons-text directly in LoadAdminUiServelt that is not vulnerable. Solr’s “hadoop-auth” module also uses commons-text. 

SearchStax Solr deployments do not use this Hadoop Authorization Module and are not vulnerable to CVE-2022-42899.

CVE-2022-3380 – Apache Commons Configuration Libraries

The other vulnerability CVE-2022-33890 affects the Apache commons configuration libraries 2.4 through 2.7. Solr uses commons-configuration2 for “hadoop-auth” only as again reported by Solr Security Scanning Tools Site

SearchStax Solr deployments do not use this Hadoop Authorization Module and are not vulnerable to CVE-2022-42899.


If you are a SearchStax customer and have any further questions, please contact your Customer Success manager.