[jira] [Updated] (SOLR-16522) Unauthenticated access to an Apache Solr Server Detected

Thu, 03 Nov 2022 21:50:32 -0700 


     [ 
https://issues.apache.org/jira/browse/SOLR-16522?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Hariprasad T updated SOLR-16522:
--------------------------------
    Security: Public  (was: Private (Security Issue))

> Unauthenticated access to an Apache Solr Server Detected
> --------------------------------------------------------
>
>                 Key: SOLR-16522
>                 URL: https://issues.apache.org/jira/browse/SOLR-16522
>             Project: Solr
>          Issue Type: Task
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Hariprasad T
>            Priority: Major
>
> Hi Team,
> We have a Sitecore project with the version 9.3 and we are using windows Solr 
> 8.1.1. We have this Vulnerability "Unauthenticated access to an Apache Solr 
> Server Detected" impacted on few of our servers. And below are the patch fix 
> suggested by Solr for this vulnerability.
> *Ref:* SOLR-13647   -CVE-2019-12409
> *URL:* 
> https://solr.apache.org/security.html#cve-2019-12409-apache-solr-rce-vulnerability-due-to-bad-config-default
> *Impacted Servers:*
> Many servers like TST, STG, Prod.
> *Mitigation:*
> *(a) Users are advised to upgrade to latest solr version  
> https://lucene.apache.org/solr/downloads.html "Solr 8.3.0:*
> With Sitecore 9.3 only Solr 8.1.1 version works and recommended so we cannot 
> do any upgrade to Solr. Please correct me if I'm wrong. 
> *(b) Apply workaround: Make sure your effective solr.in.sh file has 
> ENABLE_REMOTE_JMX_OPTS set to False on every Solr node and then restart Solr. 
> Note that the effective solr.in.sh file may reside in /etc/defaults/ or 
> another location depending on the install. You can then validate that the 
> com.sun.management.jmxremote family of properties are not listed in the Java 
> Properties section of the Solr Admin UI, or configured in a secure way:*
> Applied the fix and its not working. Please advise or suggest any other fix.
> Thanks in advance!!
>  
> Regards,
> Hariprasad T



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to