[
https://issues.apache.org/jira/browse/SOLR-16520?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Hariprasad T updated SOLR-16520:
--------------------------------
Security: Public (was: Private (Security Issue))
> Apache Solr Remote Code Execution Vulnerability
> -----------------------------------------------
>
> Key: SOLR-16520
> URL: https://issues.apache.org/jira/browse/SOLR-16520
> Project: Solr
> Issue Type: Task
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Hariprasad T
> Priority: Major
>
> Hi Team,
> We have a Sitecore project with the version 9.3 and we are using windows Solr
> 8.1.1. We have this Vulnerability "Apache Solr Remote Code Execution
> Vulnerability" impacted on few of our servers. And below are the patch fix
> suggested by Solr for this vulnerability.
> *Ref:* SOLR-13971 -CVE-2019-17558
> *URL:*
> [https://solr.apache.org/security.html#cve-2019-17558-apache-solr-rce-through-velocityresponsewriter]
> *Impacted Servers:*
> Many servers like TST, STG, Prod.
> *Mitigation:*
> *(a) params.resource.loader.enabled by defining a response writer with that
> setting set to true:*
> We have tried this but unfortunately its not working. Please suggest any
> other fix or let me know why it is not working.
> *(b)* *Ensure your network settings are configured so that only trusted
> traffic communicates with Solr, especially to the configuration APIs
> [https://solr.apache.org/guide/solr/latest/deployment-guide/securing-solr.html)]*
> *(i) Authentication and Authorization*
> *(ii) IP Access Control*
> We have checked these files and its not available in our project's Solr
> version 8.1.1. Please advise.
> Thanks in advance!!
> Regards,
> Hariprasad T
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
