You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "Hariprasad T (Jira)" <ji...@apache.org> on 2022/11/09 11:44:00 UTC

[jira] [Updated] (SOLR-16538) Apache Solr Remote Code Execution Vulnerability

     [ https://issues.apache.org/jira/browse/SOLR-16538?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Hariprasad T updated SOLR-16538:
--------------------------------
    Description: 
Hi Team,

We have a Sitecore project with the version 9.3 and we are using windows Solr 8.1.1. We have this Vulnerability "Apache Solr Remote Code Execution Vulnerability" impacted on few of our servers. And below are the patch fix suggested by Solr for this vulnerability.

*Ref:* SOLR-14925  -CVE-2020-13957

*URL:* [https://solr.apache.org/security.html#cve-2021-27905-ssrf-vulnerability-with-the-replication-handler]

*Impacted Servers:*

Many servers like TST, STG, Prod.

*Mitigation:*

*(a) Disable UPLOAD command in ConfigSets API if not used by setting the system property: configset.upload.enabled to false (see docs)*

The above attribute is not available in our project's solr version 8.1.1. Please advise how to fix this vulnerability.

*(b) No Solr API, including the Admin UI, is designed to be exposed to non-trusted parties. Tune your firewall so that only trusted computers and people are allowed access - IP Access Control*

Restrict network access to specific hosts, by setting SOLR_IP_ALLOWLIST/SOLR_IP_DENYLIST via environment variables or in solr.in.sh/solr.in.cmd *-* This attribjute is not available in our project's solr version 8.1.1. Please advise.

*(c) If upgrading is not an option, consider applying the patch in SOLR-14663*

The given patch fix is applicable for higher versions. Please advise.

It would be great if you can suggest any other solution to fix this vulnerability.

Thanks in advance!

 

Regards,

Hariprasad T

  was:
Hi Team,

We have a Sitecore project with the version 9.3 and we are using windows Solr 8.1.1. We have this Vulnerability "Apache Solr Remote Code Execution Vulnerability" impacted on few of our servers. And below are the patch fix suggested by Solr for this vulnerability.

*Ref:* SOLR-14925  -CVE-2020-13957

*URL:* https://solr.apache.org/security.html#cve-2021-27905-ssrf-vulnerability-with-the-replication-handler

*Impacted Servers:*

Many servers like TST, STG, Prod.

*Mitigation:*

*(a) Disable UPLOAD command in ConfigSets API if not used by setting the system property: configset.upload.enabled to false (see docs)*

The above attribute is not available in our project's solr version 8.1.1. Please advise how to fix this vulnerability.

*(b) No Solr API, including the Admin UI, is designed to be exposed to non-trusted parties. Tune your firewall so that only trusted computers and people are allowed access - IP Access Control*

Restrict network access to specific hosts, by setting SOLR_IP_ALLOWLIST/SOLR_IP_DENYLIST via environment variables or in solr.in.sh/solr.in.cmd *-* This attribjute is not available in our project's solr version 8.1.1. Please advise.

It would be great if you can suggest any other solution to fix this vulnerability.

Thanks in advance!

 

Regards,

Hariprasad T


> Apache Solr Remote Code Execution Vulnerability
> -----------------------------------------------
>
>                 Key: SOLR-16538
>                 URL: https://issues.apache.org/jira/browse/SOLR-16538
>             Project: Solr
>          Issue Type: Task
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Hariprasad T
>            Priority: Major
>
> Hi Team,
> We have a Sitecore project with the version 9.3 and we are using windows Solr 8.1.1. We have this Vulnerability "Apache Solr Remote Code Execution Vulnerability" impacted on few of our servers. And below are the patch fix suggested by Solr for this vulnerability.
> *Ref:* SOLR-14925  -CVE-2020-13957
> *URL:* [https://solr.apache.org/security.html#cve-2021-27905-ssrf-vulnerability-with-the-replication-handler]
> *Impacted Servers:*
> Many servers like TST, STG, Prod.
> *Mitigation:*
> *(a) Disable UPLOAD command in ConfigSets API if not used by setting the system property: configset.upload.enabled to false (see docs)*
> The above attribute is not available in our project's solr version 8.1.1. Please advise how to fix this vulnerability.
> *(b) No Solr API, including the Admin UI, is designed to be exposed to non-trusted parties. Tune your firewall so that only trusted computers and people are allowed access - IP Access Control*
> Restrict network access to specific hosts, by setting SOLR_IP_ALLOWLIST/SOLR_IP_DENYLIST via environment variables or in solr.in.sh/solr.in.cmd *-* This attribjute is not available in our project's solr version 8.1.1. Please advise.
> *(c) If upgrading is not an option, consider applying the patch in SOLR-14663*
> The given patch fix is applicable for higher versions. Please advise.
> It would be great if you can suggest any other solution to fix this vulnerability.
> Thanks in advance!
>  
> Regards,
> Hariprasad T



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org