[ https://issues.apache.org/jira/browse/SOLR-13669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16984789#comment-16984789 ]
Jan Høydahl commented on SOLR-13669: ------------------------------------ Guess fix-version should be changed to 8.2.0 and then resolve? > [CVE-2019-0193] Remote Code Execution via DataImportHandler > ----------------------------------------------------------- > > Key: SOLR-13669 > URL: https://issues.apache.org/jira/browse/SOLR-13669 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: contrib - DataImportHandler > Reporter: Michael Stepankin > Assignee: David Smiley > Priority: Major > Fix For: 8.1.2 > > > The DataImportHandler, an optional but popular module to pull in data from > databases and other sources, has a feature in which the whole DIH > configuration can come from a request's "dataConfig" parameter. The debug > mode of the DIH admin screen uses this to allow convenient debugging / > development of a DIH config. Since a DIH config can contain scripts, this > parameter is a security risk. Starting with version 8.2.0 of Solr, use of > this parameter requires setting the Java System property > "enable.dih.dataConfigParam" to true. > Mitigations: > * Upgrade to 8.2.0 or later, which is secure by default. > * or, edit solrconfig.xml to configure all DataImportHandler usages with an > "invariants" section listing the "dataConfig" parameter set to am empty > string. > * Ensure your network settings are configured so that only trusted traffic > communicates with Solr, especially to the DIH request handler. This is a > best practice to all of Solr. > Credits: > * Michael Stepankin > References: > * https://issues.apache.org/jira/browse/SOLR-13669 > * https://cwiki.apache.org/confluence/display/solr/SolrSecurity -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org