You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@solr.apache.org by hari prasad <ha...@gmail.com> on 2022/10/20 08:56:01 UTC

Apache Solr Remote Code Execution Vulnerability

Hi All,

We have a Sitecore project and we are using windows Solr (solr-version 8.1.1). We been asked to fix the below vulnerability in our server.

Vulnerability name: Apache Solr Remote Code Execution Vulnerability.
 
And this is the patch fix Solr-13971 given by the team. 

Could anyone suggest how we can execute the patch fix on our impacted server or please suggest any other fix to resolve the vulnerability. Thanks in advance!


Thanks & Regards,
Hariprasad T

Re: Apache Solr Remote Code Execution Vulnerability

Posted by Jan Høydahl <ja...@cominvent.com>.

Hi,

You may not be vulnerable, if none of your configs use Velocity ("/browse" handler). However, you have several choices

* Remove the contrib/velocity folder on your Solr install
* Upgrade Solr servers to at least 8.4

Our general recommendation would be to attempt an upgrade on your test environment to Solr 8.11.2 which is the latest 8.x release.
That will also fix the log4shell and other vulnerabilities. In general you want to stay on latest patch version all the time.

It should be possible to simply stop the node, unpack the new version (keeping your SOLR_HOME untouched) and start.

Jan

> 20. okt. 2022 kl. 10:56 skrev hari prasad <ha...@gmail.com>:
> 
> Hi All,
> 
> We have a Sitecore project and we are using windows Solr (solr-version 8.1.1). We been asked to fix the below vulnerability in our server.
> 
> Vulnerability name: Apache Solr Remote Code Execution Vulnerability.
> 
> And this is the patch fix Solr-13971 given by the team. 
> 
> Could anyone suggest how we can execute the patch fix on our impacted server or please suggest any other fix to resolve the vulnerability. Thanks in advance!
> 
> 
> Thanks & Regards,
> Hariprasad T