[Dspace-devel] [DuraSpace JIRA] Created: (DS-858) Multicore SOLR needs prevent remote access to solr cores

Fri, 25 Mar 2011 10:58:23 -0700 

Multicore SOLR needs prevent remote access to solr cores
--------------------------------------------------------

                 Key: DS-858
                 URL: https://jira.duraspace.org/browse/DS-858
             Project: DSpace
          Issue Type: Bug
          Components: Solr
    Affects Versions: 1.7.0
            Reporter: Peter Dietz
            Assignee: Mark Diggory
            Priority: Major
             Fix For: 1.7.1, 1.8.0
         Attachments: 
diff-modules_dspace-solr_trunk_webapp_src_main_webapp_WEB-INF_web.xml-from-r5524-to-r6235.diff

Kim Shepherd has noticed that a default installation of DSpace 1.7.0 with no 
further security hardening through configuration of Tomcat and Apache HTTPD 
will allow remote access to SOLR. This problem was created when Solr went 
multicore on DSpace. The security vulnerabilities are that a remote user could 
view data in solr (non anonymised usage data, private metadata) that is 
typically restricted from remote users. Additionally a malicious user could 
alter or delete data in Solr.

The fix for this is included in 1.7.1. Current users of DSpace 1.7.0 can either 
upgrade to 1.7.1 as soon as possible, or patch their 
[dspace]/webapps/solr/WEB-INF/web.xml with the change made in r6161 
https://fisheye3.atlassian.com/browse/dspace/modules/dspace-solr/trunk/webapp/src/main/webapp/WEB-INF/web.xml?r2=6161&r1=5524
 which moves the filter-mapping for LocalHostRestrictionFilter above 
SolrRequestFilter

After patching or upgrading your system, those using Discovery should reindex 
their content. 
[dspace]/bin/dspace update-discovery-index -f

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
https://jira.duraspace.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software 
be a part of the solution? Download the Intel(R) Manageability Checker 
today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________
Dspace-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-devel

Reply via email to