[jira] [Resolved] (SOLR-16538) Apache Solr Remote Code Execution Vulnerability

Wed, 09 Nov 2022 05:58:10 -0800 


     [ 
https://issues.apache.org/jira/browse/SOLR-16538?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Kevin Risden resolved SOLR-16538.
---------------------------------
    Resolution: Duplicate

[~harryprasad] please don't open duplicates (SOLR-16520 was previously created) 
and Jira is not for end user support. It is for tracking bugs in Solr.

> Apache Solr Remote Code Execution Vulnerability
> -----------------------------------------------
>
>                 Key: SOLR-16538
>                 URL: https://issues.apache.org/jira/browse/SOLR-16538
>             Project: Solr
>          Issue Type: Task
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Hariprasad T
>            Priority: Major
>
> Hi Team,
> We have a Sitecore project with the version 9.3 and we are using windows Solr 
> 8.1.1. We have this Vulnerability "Apache Solr Remote Code Execution 
> Vulnerability" impacted on few of our servers. And below are the patch fix 
> suggested by Solr for this vulnerability.
> *Ref:* SOLR-14925  -CVE-2020-13957
> *URL:* 
> [https://solr.apache.org/security.html#cve-2021-27905-ssrf-vulnerability-with-the-replication-handler]
> *Impacted Servers:*
> Many servers like TST, STG, Prod.
> *Mitigation:*
> *(a) Disable UPLOAD command in ConfigSets API if not used by setting the 
> system property: configset.upload.enabled to false (see docs)*
> The above attribute is not available in our project's solr version 8.1.1. 
> Please advise how to fix this vulnerability.
> *(b) No Solr API, including the Admin UI, is designed to be exposed to 
> non-trusted parties. Tune your firewall so that only trusted computers and 
> people are allowed access - IP Access Control*
> Restrict network access to specific hosts, by setting 
> SOLR_IP_ALLOWLIST/SOLR_IP_DENYLIST via environment variables or in 
> solr.in.sh/solr.in.cmd *-* This attribjute is not available in our project's 
> solr version 8.1.1. Please advise.
> *(c) If upgrading is not an option, consider applying the patch in SOLR-14663*
> The given patch fix is applicable for higher versions. Please advise.
> It would be great if you can suggest any other solution to fix this 
> vulnerability.
> Thanks in advance!
>  
> Regards,
> Hariprasad T



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to