Upgrade or patch for SOLR in ColdFusion 2021 to current

OK, thanks but would be nice if Adobe is offering entergrated Add ons that they are resonability current so the vulnerability scans do not show the components getting close to out of support.  At least in the current major release level.  Just initially needed to deal with security scan requesting that we patch to current release level 8.4 or newer.   Just wanted to know if there was an option since it runs as an add on did not know if there was a different patching options outside the 'hotfix' process. 

 

Receiving vulnerability scan issue with SOLR version in ColdFusion 2022.  Seems to be 5. version and current version is SOLR 8.11

...

scan shows

Apache Solr < 8.4.0 Remote Code Execution

 

By @johnthomas11797098

The current SOLR version is 8.11.1. The version you mention, 8.11, has itself been found to be vulnerable. See Solr Security News.

 

Is there a way to upgrade or will Adobe add it to next CF hotfix

 

By @johnthomas11797098

The way I see it, Adobe's ColdFusion Team is best placed to answer that. So I shall not comment, except to make a suggestion to fellow developers.

If you follow the above Solr link, you will see the mitigation strategy recommended for the vulnerability identified in each of the latest Solr versions. Implementing one or more of these - if and where possible - might just be sufficient in your case.

 

Receiving vulnerability scan issue with SOLR version in ColdFusion 2022.  ...

By @johnthomas11797098

Just to be sure, do you mean ColdFusion 2021?

While not an official answer (let's hope you may hear one here), I'll share what I've shared to clients who have asked me this directly:

1) First, I'm afraid there is not a current solution for us to update the Solr engine implemented by Adobe in the CF Add-on service. We must wait for them, though removing the feature entirely is an option for some, and implementing an updated Solr separately may be an option for others. Let me elaborate on those.

This is one of those things (like the Tomcat underlying CF) where it seems we can't do an update ourselves, as the integration in CF is so tight that there's no obvious way to update what they provide.  And even if we may hack it out of desperation (or install a new version of our own and try to delete their old one), we can't know what may break in the CF integration with that thing.

And it's not just that need to update it for the sake of the Solr version, but also because the implementation of this "CF add on service" (which provides that built-in CF implementation of Solr as welll as support for the CFHTMLtoPDF tag, new in CF11) happens to still have a log4j1.x jar that was NOT corrected in the Dec updates to CF2021 and 2018. [Update in 2023: that was finally fixed in CF updates in 2022.]

All this is not a good place to be as a server admin when you have sec teams breathing down your neck. So what to do?

2) Well again we can hope that some CF update may address this need to keep Solr updated (as well as the need of a tomcat update, which should get flagged by your sec people also). Sadly, as you can see it's been a long time since the Solr embedded with CF was updated. But again I'd hope that both the log4j issue AND what you point out may motivate them to get on the stick about such an update.

3) Next, if you don't USE the CF Solr feature, then you could of course REMOVE the CF add-on service. While it can be installed either with the CF installer itself or its own (CF Addon service installer), either will setup an uninstall capability, so that it could be removed.

As for knowing whether your code leverages the features that the add-on service adds, you could certainly try to search your code base for references to the tags/script statements related to CF's solr support (cfsearch, cfindex, and cfcollection) or that cfhtmltopdf tag (added in CF11).  Better still, those with CF2021 could also use its new cfpm commandline tool, which has a feature to "scan" your code and identify what cf packages/modules you need. If you did that and it reported no need of the "search" or "htmltopdf" modules, then you could remove that CF add-on service.

4) Finally, it's worth noting that one CAN install their OWN implementation of Solr. Note that the CF Admin page for solr (like the CF Admin page for PDF services) lets you point to any Solr engine on any server/port.

Beware if you DO point CF to a newer Solr engine there's no guarantee from Adobe that your cfsearch/cfindex/cfcollection code will work fine--at least not until THEY implement a new version for us. But I'm just saying it's an option worth trying before giving up all hope.

Also, one can switch from using those CF tags to instead using cfhttp to call the Solr engine, since those tags all result in an http call to the Solr engine. And you may HAVE to if CF can no longer call to a newer Solr engine you may implement. I can help those interested in pursuing that, both in seeing what CF generates (it's logged by the Solr/Jetty implementation), and even in seeing how you could use this capability to do even MORE powerful things than the CF tags alone, especially cfsearch, offer. 

5) And of course, if what I offer here does not suffice or they don't respond here, you could file a ticket at tracker.adobe.com. I can confirm I did a search for solr in either the title or description and see none since July 2021. If you do open one, add a link to the ticket here, for others to follow-along, vote, etc. Or you can send an email to cfsup@adobe.com.

Either way, do be specific about what minimum solr update you need them to be at to pass the scans.  And don't presume others have already reported it. Too many take that stance and only mutter about things lacking in cf. As the saying goes, it's better to light one candle than to curse the darkness.