The most important feature of any software running today is that it can be
run at all. Security vulnerabilities can preclude software from running in
enterprise environments. Today software must be free of critical and severe
security vulnerabilities or they can't be run at all from Information
Security policies. Enterprises today run security scan software to check
for security and licensing vulnerabilities because today most organizations
are using open source software where this has become most relevant.
Forrester has a good summary on the need for software composition analysis
tools which virtually all enterprises run today befor allowing software to
run in production environments:

Solr version 6.5 passes security scans showing no critical security
issues.  Solr version 7 fails security scans with over a dozen critical and
severe security vulnerabilities for Solr version from 7.1.  Then we ran
scans against the latest Solr version 7.6 which failed as well.  Most of
the issues are due to using old libraries including the JSON Jackson
framework, Dom 4j and Xerces and should be easy to bring up to date. Only
the latest version of SimpleXML has severe security vulnerabilities. Derby
leads the most severe security violations at Level 9.1 by using an out of
date version.

What good is software or any features if enterprises can't run them?
Today software cybersecurity is a top priority and risk for enterprises.
Solr version 6.5 is very old exposing the zookeeper backend from the SolrJ
client which is a differentiating capability.

Is security and remediation a priority for SolrJ?  I believe this should be
a top feature to allow SolrJ to continue providing search features to
enterprises and a security roadmap and plan to keep Solr secure and usable
by continually adapting and improving in the ever changing security
landscape and ecosystem.  The Darby vulnerability issue CVE-2015-1832 was a
passing medium Level 6.2  issue in CVSS 2.0 last year but is the most
critical issue with Solr 7.6 at Level 9.1 in this year's CVSS 3.0.  These
changes need to be tracked and updates and fixes incorporated into new Solr

On Thu, Jan 3, 2019 at 12:19 PM Bob Hathaway <[EMAIL PROTECTED]> wrote: