You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@lucene.apache.org by Apache Wiki <wi...@apache.org> on 2018/08/26 12:24:10 UTC

[Solr Wiki] Update of "SolrSecurity" by ShawnHeisey

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Solr Wiki" for change notification.

The "SolrSecurity" page has been changed by ShawnHeisey:
https://wiki.apache.org/solr/SolrSecurity?action=diff&rev1=50&rev2=51

Comment:
Added section about Tika vulnerabilities.

    <requestParsers enableRemoteStreaming="false" ... />
  }}}
  
+ == Indirect compromise through Tika vulnerabilities ==
+ 
+ One of the contrib modules that Solr includes is called SolrCell.  This module adds the Extracting Request Handler.  This component utilizes Apache Tika to parse rich documents like PDF and Microsoft Office and index the document contents into Solr.
+ 
+ The Tika software has had some security vulnerabilities.  It would be theoretically possible for an attacker to upload a specially crafted file to be processed by Tika running inside Solr, or to trick an administrator into uploading such a file, and in that way compromise the Solr install.
+ 
+ For reasons not related to security, it is strongly recommended that this contrib module is never used in production.  Tika can crash, and if such a crash happens in the SolrCell module, Solr will crash too.  If that advice is followed, it would be very difficult to utilize Tika vulnerabilities to compromise Solr.
+