Update VEX file with false positives#173
Open
janhoy wants to merge 1 commit into
Open
Conversation
ppkarwasz
reviewed
Apr 24, 2026
| "analysis": { | ||
| "state": "not_affected", | ||
| "justification": "requires_configuration", | ||
| "detail": "All five CVEs require non-default Log4j layout or appender configurations that Solr does not use. CVE-2026-34480 affects XmlLayout (Solr uses PatternLayout). CVE-2026-34478 affects Rfc5424Layout with TCP/TLS syslog framing (Solr does not configure a SyslogAppender with TCP framing). CVE-2026-34477 is an incomplete fix for SSL hostname verification in SMTP/Socket/Syslog appenders — Solr does not configure these appenders with TLS. CVE-2026-34479 affects Log4j1XmlLayout in the 1.x bridge (Solr does not use Log4j 1.x XML layout). CVE-2026-34481 affects JsonTemplateLayout when logging MapMessage with attacker-controlled floating-point values — Solr does not use JsonTemplateLayout. Solr's default log configuration uses PatternLayout and does not include any of the affected appender/layout types." |
Member
There was a problem hiding this comment.
Confirmed: these vulnerabilities impact a very small number of users and Solr is not one of them.
I will run the VEX Generator for the remaining ones in the weekend, but the explanations look plausible.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
LLM generated, please review.
I tasked Claude Code with running
docker scoutand analyzing each CVE for exploitability in Solr 10.0. For each CVE that the LLM is fairly certain is a false positive, I told it to update the VEX file. This PR is the result.