You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@solr.apache.org by "Hariprasad T (Jira)" <ji...@apache.org> on 2022/11/04 04:49:00 UTC

[jira] [Updated] (SOLR-16520) Apache Solr Remote Code Execution Vulnerability

     [ https://issues.apache.org/jira/browse/SOLR-16520?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Hariprasad T updated SOLR-16520:
--------------------------------
    Security: Public  (was: Private (Security Issue))

> Apache Solr Remote Code Execution Vulnerability
> -----------------------------------------------
>
>                 Key: SOLR-16520
>                 URL: https://issues.apache.org/jira/browse/SOLR-16520
>             Project: Solr
>          Issue Type: Task
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Hariprasad T
>            Priority: Major
>
> Hi Team,
> We have a Sitecore project with the version 9.3 and we are using windows Solr 8.1.1. We have this Vulnerability "Apache Solr Remote Code Execution Vulnerability" impacted on few of our servers. And below are the patch fix suggested by Solr for this vulnerability.
> *Ref:* SOLR-13971  -CVE-2019-17558 
> *URL:* [https://solr.apache.org/security.html#cve-2019-17558-apache-solr-rce-through-velocityresponsewriter]
> *Impacted Servers:*
> Many servers like TST, STG, Prod.
> *Mitigation:*
> *(a) params.resource.loader.enabled by defining a response writer with that setting set to true:*
> We have tried this but unfortunately its not working. Please suggest any other fix or let me know why it is not working.
> *(b)* *Ensure your network settings are configured so that only trusted traffic communicates with Solr, especially to the configuration APIs [https://solr.apache.org/guide/solr/latest/deployment-guide/securing-solr.html)]*
>   *(i) Authentication and Authorization* 
>   *(ii) IP Access Control*
> We have checked these files and its not available in our project's Solr version 8.1.1. Please advise.
> Thanks in advance!!
> Regards,
> Hariprasad T



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org