You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "Hariprasad T (Jira)" <ji...@apache.org> on 2022/11/09 11:21:00 UTC
[jira] [Created] (SOLR-16537) Apache Solr Remote Code Execution Vulnerability
Hariprasad T created SOLR-16537:
-----------------------------------
Summary: Apache Solr Remote Code Execution Vulnerability
Key: SOLR-16537
URL: https://issues.apache.org/jira/browse/SOLR-16537
Project: Solr
Issue Type: Task
Security Level: Public (Default Security Level. Issues are Public)
Reporter: Hariprasad T
We have a Sitecore project with the version 9.3 and we are using windows Solr 8.1.1. We have this Vulnerability "Apache Solr Remote Code Execution Vulnerability" impacted on few of our servers. And below are the patch fix suggested by Solr for this vulnerability.
*Ref:* SOLR-13971 -CVE-2019-17558
*URL:* [https://solr.apache.org/security.html#cve-2019-17558-apache-solr-rce-through-velocityresponsewriter]
*Impacted Servers:*
Many servers like TST, STG, Prod.
*Mitigation:*
*(a) Ensure your network settings are configured so that only trusted traffic communicates with Solr, especially to the configuration APIs https://solr.apache.org/guide/solr/latest/deployment-guide/securing-solr.html*
*(i) Authentication and Authorization*
We don't have this file in our project's solr version 8.1.1. Please check and let us know where we can find this file Security.json. Please advise.
*(ii) IP Access Control*
Restrict network access to specific hosts, by setting SOLR_IP_ALLOWLIST/SOLR_IP_DENYLIST via environment variables or in solr.in.sh/solr.in.cmd.
We don't have this attribute in the above files. Please advise.
or it would be great if you can suggest any other solution to fix this vulnerability.
Thanks in advance!
Regards,
Hariprasad T
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org