Is cPanel & WHM affected by CVE-2019-12384 [Solr]?

Moon Wang

Registered
Jul 24, 2019
3
0
1
Australia
cPanel Access Level
Root Administrator
Hi,

Just for anyone who has the same concern. This only relates to the system plug-in: Full Text Search Indexing for IMAP powered by Apache Solr .

Once uninstalled, the used libraries including Faster XML will be removed.

Hope it helps.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,749
2,205
363
cPanel Access Level
DataCenter Provider
Twitter
Hello Everyone,

I've opened internal case CPANEL-28548 to inquire about the impact of CVE-2019-12384 on servers running cPanel & WHM. I'll update this thread with more information as soon as it's available.

Thank you.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,749
2,205
363
cPanel Access Level
DataCenter Provider
Twitter
Hello Everyone,

We're tentatively planning to publish an update to the Solr RPM included with cPanel & WHM within the next week. I'll update this thread once the update is published.

Note that the functionality described in the security report is not utilized by default as part of the Full Text Search Indexing for IMAP powered by Apache Solr™ plugin offered with cPanel & WHM.

Thank you.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,749
2,205
363
cPanel Access Level
DataCenter Provider
Twitter
Hello Everyone,

CPANEL-28548 is now closed. Here's a paraphrased quote from this case explaining the reason why we are not patching the reported issue:

Fixes for CVEs such as CVE-2019-12384 are only possible in the current packaging scheme if the upstream Solr binaries include those fixes. In this case, the upstream 8.2.0 binaries do not include a newer version of the jackson-databind library. Flaws in the components (e.g. jackson-databind) that make up Solr fall outside the scope of issues we consider fixable because we are not packaging Solr. We are repackaging binaries that Solr produces and thus we depend on Solr updating the various components in these binaries.
Thank you.