You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@lucene.apache.org by "Robert Muir (Jira)" <ji...@apache.org> on 2019/12/02 09:51:00 UTC

[jira] [Commented] (SOLR-13978) Remove bloat from default configset

    [ https://issues.apache.org/jira/browse/SOLR-13978?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16985936#comment-16985936 ] 

Robert Muir commented on SOLR-13978:
------------------------------------

according to the email sent to users:

{quote}
This vulnerability is only available to attackers if these conditions are
in place:

1. You have not disabled the Config API, or do not restrict access to the
Config API via authentication/authorization settings
2. You allow connections to Solr APIs from outside your firewall

You can mitigate this vulnerability right now by setting the system
parameter “-Ddisable.configEdit=true” and restarting Solr. If you already
have secured Solr behind a firewall and you have authentication for all
users in place, then we believe your risk of this bug is very low. If you
don’t use the Config API, we’d recommend disabling it even if you have a
firewall and authentication in place.
{quote}

This is backwards: dangerous stuff shouldn't be enabled by default with the onus on the user to disable it. Can we disable this Config API by default here too?

> Remove bloat from default configset
> -----------------------------------
>
>                 Key: SOLR-13978
>                 URL: https://issues.apache.org/jira/browse/SOLR-13978
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Ishan Chattopadhyaya
>            Priority: Blocker
>             Fix For: 8.4
>
>
> We need to review and remove all components that are not essential for search, indexing and other core functionality. Velocity, DIH, etc. should be reviewed.
> (Marking this as a 8.4 release blocker).



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org