You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@lucene.apache.org by GitBox <gi...@apache.org> on 2021/02/10 16:13:58 UTC

[GitHub] [lucene-solr] rhtham commented on pull request #1156: SOLR-13971: CVE-2019-17558: Velocity custom template RCE vulnerability

rhtham commented on pull request #1156:
URL: https://github.com/apache/lucene-solr/pull/1156#issuecomment-776824097


   @chatman I am trying to figure out if the following is a mitigation step for CVE-2019-17558 on SOLR 6.1.  None of our solrconfig.xml contains the lib references to the velocity jar files as follows:
   
     <lib dir="${solr.install.dir:../../../..}/contrib/velocity/lib" regex=".*\.jar" />
     <lib dir="${solr.install.dir:../../../..}/dist/" regex="solr-velocity-\d.*\.jar" />
     
   It doesn't appear that you can add these jars references using the config API.  Without these references, you are not able to flip the params.resource.loader.enabled to true using the config API.  If you are not able to flip the flag and none of your cores have these lib references then is the risk present?
   
   Thanks in advance!
     
     
   
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org