[
https://issues.apache.org/jira/browse/SOLR-14049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17438011#comment-17438011
]
David Eric Pugh commented on SOLR-14049:
----------------------------------------
I would agree with [~janhoy] on this.. I think if we REALLY wanted to solve
this, we would FORCE people to start out with a minimal security.json that
blocks everything, and a default user "admin" with a default password that you
have to change the first time. Thats what other tools like Grafana etc do.
This way, our default security.json file becomes the "most locked down version
of Solr you can be", and folks open it up using the security GUI as they
wish.... Huh... This is actually sounding like a better idea then I
thought ;)
> Disable Config APIs by default
> ------------------------------
>
> Key: SOLR-14049
> URL: https://issues.apache.org/jira/browse/SOLR-14049
> Project: Solr
> Issue Type: Improvement
> Reporter: Ishan Chattopadhyaya
> Priority: Major
>
> Spin off from SOLR-13978. This is not my proposal (I support this only
> conditionally), I'm just opening the JIRA.
> Proposal is to do this by 8.4. Reason is that Config APIs have been used in
> the past to invoke RCE vulnerabilities in some components of Solr.
> The discussion has happened in SOLR-13978. I am willing to do the work once
> we have agreement on this.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
