Security patch available for api-gateway: Netty request smuggling vulnerabilitiesA patch is available for the
api-gateway service to address critical Netty request smuggling vulnerabilities (CVE-2026-42581, CVE-2026-42585, CVE-2026-42587). These vulnerabilities allow attackers to smuggle HTTP requests through the gateway, potentially bypassing security controls.Instructions for applying the patch
Instructions for applying the patch
The
api-gateway service requires the Netty security patch.Follow these steps to apply the patched image:- Open your Fusion Helm values file.
-
Add or update the
api-gatewayimage configuration: - Save the values file.
-
For Fusion Cloud Native deployments, run the
upgrade_fusion.shscript you used for your current deployment. For Helm deployments, run:ReplaceNAMESPACEwith your Kubernetes namespace,RELEASE_NAMEwith your Helm release name, andPATH_TO_VALUESwith the path to your updated values file. -
Wait for the
api-gatewaypods to restart and verify they are using the patched image.
Platform Support and Component Versions
Kubernetes platform support
Lucidworks has tested and validated support for the following Kubernetes platforms and versions:- Google Kubernetes Engine (GKE): 1.27
- Microsoft Azure Kubernetes Service (AKS): 1.27
- Amazon Elastic Kubernetes Service (EKS): 1.27
Component versions
The following table details the versions of key components that may be critical to deployments and upgrades.| Component | Version |
|---|---|
| Solr | fusion-solr 5.9.1 (based on Solr 9.1.1) |
| ZooKeeper | 3.7.1 |
| Spark | 3.2.2 |
| Ingress Controllers | Nginx, Ambassador (Envoy), GKE Ingress Controller Istio not supported. |
Improvements
- Fusion now supports Kubernetes 1.27. This applies to GKE, AKS, and EKS. It also applies to Rancher (RKE) and OpenShift 4 versions that are compatible with Kubernetes 1.27. Refer to Kubernetes documentation for version 1.27.
- Query service replica scaling has been improved.
Fusion Connectors
- Updated the Web V1 (classic) connector library to resolve issues for certain JavaScript-enabled web pages. While Fusion was not vulnerable to the Common Vulnerabilities and Exposures (CVE) 2023-4863, the connector updates allowed Lucidworks to also acknowledge and resolve that publicly-reported CVE.
Bug Fixes
- The connectors-backend service no longer fails to start when deploying to OpenShift 4.12.
- Fixed an issue where the Transport Layer Security (TLS) for Fusion Microservices could not be enabled and used.
Known issues
- New Kerberos security realms cannot be configured successfully in this version of Fusion.