[
https://issues.apache.org/jira/browse/SOLR-13669?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Smiley updated SOLR-13669:
--------------------------------
Security: Public (was: Private (Security Issue))
> [CVE-2019-0193] Remote Code Execution via DataImportHandler
> -----------------------------------------------------------
>
> Key: SOLR-13669
> URL: https://issues.apache.org/jira/browse/SOLR-13669
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: contrib - DataImportHandler
> Reporter: Michael Stepankin
> Assignee: David Smiley
> Priority: Major
> Fix For: 8.1.2
>
>
> The DataImportHandler, an optional but popular module to pull in data from
> databases and other sources, has a feature in which the whole DIH
> configuration can come from a request's "dataConfig" parameter. The debug
> mode of the DIH admin screen uses this to allow convenient debugging /
> development of a DIH config. Since a DIH config can contain scripts, this
> parameter is a security risk. Starting with version 8.2.0 of Solr, use of
> this parameter requires setting the Java System property
> "enable.dih.dataConfigParam" to true.
> Mitigations:
> * Upgrade to 8.2.0 or later, which is secure by default.
> * or, edit solrconfig.xml to configure all DataImportHandler usages with an
> "invariants" section listing the "dataConfig" parameter set to am empty
> string.
> * Ensure your network settings are configured so that only trusted traffic
> communicates with Solr, especially to the DIH request handler. This is a
> best practice to all of Solr.
> Credits:
> * Michael Stepankin
> References:
> * https://issues.apache.org/jira/browse/SOLR-13158
> * https://cwiki.apache.org/confluence/display/solr/SolrSecurity
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
