[
https://issues.apache.org/jira/browse/SOLR-5998?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13975387#comment-13975387
]
Shawn Heisey commented on SOLR-5998:
------------------------------------
Solr itself contains no SSL code. It runs in a servlet container (a java
webserver). A stripped-down install of Jetty is included in the Solr example,
but that is not set up with SSL by default.
Even if the user does enable SSL on the included example, Jetty will be using
the Java SSL implementation, which does not use OpenSSL at all. It is not
vulnerable to heartbleed. If the user is not using Jetty, they would need to
check the particular servlet container they are using for vulnerabilities. I
am reasonably sure that none of the available servlet containers will be using
OpenSSL.
Sometimes proxy software or hardware is used in front of Solr and SSL is
configured there. That software and the operating system that it runs on may
be vulnerable to heartbleed.
One final piece of information: We strongly recommend installing Solr someplace
where it cannot be reached directly from the open Internet. SSL is not enough
to prevent security issues.
> Is Apache Solr 1.0 vulnerable to Heartbleed
> -------------------------------------------
>
> Key: SOLR-5998
> URL: https://issues.apache.org/jira/browse/SOLR-5998
> Project: Solr
> Issue Type: Bug
> Reporter: Lynn Clara
>
> What would to check whether if there is any documented info on whether Apache
> Solr 1.0 is vulnerable to Heartbleed? If so, any available fixes? thks
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
