Released on June 12, 2026, Fusion 5.17.2 is a patch release that delivers critical security updates to address vulnerabilities in the Netty framework that handles network communication.
Upgrade strongly recommended: While Lucidworks is not aware of any active exploitation, this update addresses security vulnerabilities that could potentially be exploited.
We strongly recommend upgrading to ensure continued security and platform stability.
- Access to latest features: Stay current with the latest features and capabilities to ensure compatibility and optimal performance.
- Simplified process: Fusion 5.9.5 and later use an in-place upgrade strategy, making upgrades easier than ever.
- Extended support: Upgrading keeps you up-to-date with the latest supported Kubernetes versions, as outlined in the Lucidworks Semantic Version Support Lifecycle policy.
For supported Kubernetes versions and key component versions, see Platform support and component versions.
Security updates
Security vulnerabilities in Netty resolved
CVE-2026-44249
CVE-2026-42577
CVE-2026-42579
CVE-2026-42581
CVE-2026-42583
CVE-2026-42584
CVE-2026-42585
CVE-2026-42587
CVE-2026-45416
CVE-2026-45674
CVE-2026-47691
Prior to this release, Netty versions before 4.1.135.Final contained multiple security vulnerabilities affecting HTTP request processing, DNS resolution, and network connection handling, including request smuggling vulnerabilities.
These vulnerabilities could potentially be exploited to bypass security controls, hijack user sessions, or compromise data integrity.
These vulnerabilities are now resolved.
Fusion 5.17.2 updates Netty to version 4.1.135.Final, which addresses these security issues across multiple Netty components including HTTP/HTTP2 codecs, DNS resolver, transport layer, and connection handlers.
Upgrading to Fusion 5.17.2 protects your deployment against these vulnerabilities.
Known issues
Streaming mode indexing fails with unquoted character errors
When indexing content in streaming mode, the Jackson library upgrade (2.13.5 → 2.19.1) introduced stricter validation.
The current implementation might fail with long requests that use a Transfer-Encoding: chunked header.
Below is an example of a failure message, though other messages are also possible:
Illegal unquoted character ((CTRL-CHAR, code 13)): has to be escaped using backslash to be included in name
Content-Length header.
Lucidworks has tested and validated support for the following Kubernetes platforms and versions:
- Google Kubernetes Engine (GKE): 1.30, 1.31, 1.32, 1.33, 1.34, 1.35
- Microsoft Azure Kubernetes Service (AKS): 1.30, 1.31, 1.32, 1.33, 1.34, 1.35
- Amazon Elastic Kubernetes Service (EKS): 1.30, 1.31, 1.32, 1.33, 1.34, 1.35
Support is also offered for Rancher Kubernetes Engine (RKE and RKE2) and OpenShift 4 versions based on Kubernetes 1.30, 1.31, 1.32, 1.33, 1.34, 1.35.
Note that RKE2 may require some Helm chart modification.
OpenStack and customized Kubernetes installations aren’t supported.
For more information on Kubernetes version support, see the Kubernetes support policy.
Component versions
The following table details the versions of key components that may be critical to deployments and upgrades.
| Component | Version |
|---|
| Solr | fusion-solr 5.17.2 (based on Solr 9.6.1) |
| ZooKeeper | 3.9.1 |
| Spark | 3.4.1 |
| Ingress Controllers | Nginx, Ambassador (Envoy), GKE Ingress Controller |
| Ray | ray[serve] 2.46.0 |
| Helm | 4.1.1 |
