[jira] [Closed] (OFBIZ-12316) The Solr version included in OFBiz has an SSRF vulnerability (CVE-2021-27905)

Wed, 15 Sep 2021 01:41:07 -0700 


     [ 
https://issues.apache.org/jira/browse/OFBIZ-12316?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux closed OFBIZ-12316.
-----------------------------------
    Fix Version/s: Release Branch 17.12
                   18.12.01
       Resolution: Fixed

I have fixed the issue by updating to Solr 8.9.0. It's not the 1st time I try 
that and it was very painful. Fortunately I listened to Fela all along, it 
alleviated the pain.

Following is a (justified) rant!
The API at
https://solr.apache.org/docs/8_9_0/solr-core/org/apache/solr/core/CoreContainer.html#CoreContainer-org.apache.solr.core.NodeConfig-
is not up to date (ie wrong!).

For instance the methods
    CoreContainer(Path solrHome, Properties properties)
    CoreContainer(NodeConfig config, boolean asyncSolrCoreLoad)
no longer exist.

So you would thought
"Better refer to the real CoreContainer class using your IDE"
Wrong, try
    cores = new CoreContainer(nodeConfig, extraProperties);
for instance.
You get
    error: incompatible types: Properties cannot be converted to CoresLocator
You may also try
    cores = new CoreContainer(nodeConfig, extraProperties, true);
Then you get a bit more information:
    error: no suitable constructor found for 
CoreContainer(NodeConfig,Properties)
    cores = new CoreContainer(nodeConfig, extraProperties);
    ^
    constructor CoreContainer.CoreContainer(Path,Properties) is not applicable
    (argument mismatch; NodeConfig cannot be converted to Path)
    constructor CoreContainer.CoreContainer(NodeConfig,boolean) is not 
applicable
    (argument mismatch; Properties cannot be converted to boolean)
    constructor CoreContainer.CoreContainer(NodeConfig,CoresLocator) is not 
applicable
    (argument mismatch; Properties cannot be converted to CoresLocator)

As I'm not a Solr developer I did not dig deeper (was already deep enough)
And this keeps it as simple as possible. Solr works in OFBiz so hopefully it's 
the right thing!


> The Solr version included in OFBiz has an SSRF vulnerability (CVE-2021-27905)
> -----------------------------------------------------------------------------
>
>                 Key: OFBIZ-12316
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12316
>             Project: OFBiz
>          Issue Type: Bug
>          Components: solr
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 18.12.01, Release Branch 17.12
>
>
> This post-auth security issue was reported to the security team by weinull 
> orz <[email protected]> As he suggested the solution is to update Solr to 
> its last version.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to