[jira] [Resolved] (SOLR-16537) Apache Solr Remote Code Execution Vulnerability

Wed, 09 Nov 2022 05:56:07 -0800 


     [ 
https://issues.apache.org/jira/browse/SOLR-16537?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Kevin Risden resolved SOLR-16537.
---------------------------------
    Resolution: Duplicate

[~harryprasad] please don't open duplicates (SOLR-16520 was previously created) 
and Jira is not for end user support. It is for tracking bugs in Solr. 

> Apache Solr Remote Code Execution Vulnerability
> -----------------------------------------------
>
>                 Key: SOLR-16537
>                 URL: https://issues.apache.org/jira/browse/SOLR-16537
>             Project: Solr
>          Issue Type: Task
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Hariprasad T
>            Priority: Major
>
> We have a Sitecore project with the version 9.3 and we are using windows Solr 
> 8.1.1. We have this Vulnerability "Apache Solr Remote Code Execution 
> Vulnerability" impacted on few of our servers. And below are the patch fix 
> suggested by Solr for this vulnerability.
> *Ref:* SOLR-13971  -CVE-2019-17558 
> *URL:* 
> [https://solr.apache.org/security.html#cve-2019-17558-apache-solr-rce-through-velocityresponsewriter]
> *Impacted Servers:*
> Many servers like TST, STG, Prod.
> *Mitigation:*
> *(a) Ensure your network settings are configured so that only trusted traffic 
> communicates with Solr, especially to the configuration APIs 
> https://solr.apache.org/guide/solr/latest/deployment-guide/securing-solr.html*
>  
> *(i) Authentication and Authorization*
> We don't have this file in our project's solr version 8.1.1. Please check and 
> let us know where we can find this file Security.json. Please advise. 
>  *(ii) IP Access Control* 
> Restrict network access to specific hosts, by setting 
> SOLR_IP_ALLOWLIST/SOLR_IP_DENYLIST via environment variables or in 
> solr.in.sh/solr.in.cmd.
> We don't have this attribute in the above files. Please advise.
> or it would be great if you can suggest any other solution to fix this 
> vulnerability.
> Thanks in advance!
>  
> Regards,
> Hariprasad T



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to