We are using Solr 6.1 and at the moment we can not upgrade due to
application dependencies.
We have mitigation steps in place to only trust specific machines within
our DMZ.
I am trying to figure out if the following is an additioanal valid
mitigation step for CVE-2019-17558 on SOLR 6.1. None of our solrconfig.xml
contains the lib references to the velocity jar files as follows:
<lib dir="${solr.install.dir:../../../..}/contrib/velocity/lib"
regex="..jar" />
l<ib dir="${solr.install.dir:../../../..}/dist/"
regex="solr-velocity-\d..jar" />
It doesn't appear that you can add these jars references using the config
API. Without these references, you are not able to flip the
params.resource.loader.enabled to true using the config API. If you are not
able to flip the flag and none of your cores have these lib references then
is the risk present?
Thanks in advance!
