Versions Compared

Old Version 7

changes.mady.by.user Cassandra Targett

Saved on

compared with

New Version 8

changes.mady.by.user Cassandra Targett

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Move security reporting info above table of cves

...

Table of Contents

Security Announcements

Warning

If you believe you have discovered a vulnerability in Lucene or Solr, please follow these ASF guidelines for reporting it.

For each CVE listed below, please be sure to read the mailing list announcement for full details and mitigation steps.

DateCVETitleImpacted VersionsMitigationLinks
2019-11-18CVE-2019-12409RCE vulnerability due to bad config default8.1.1-8.2.0Can be mitigated with either a Solr upgrade or a configuration change.

Mailing list announcement

Jira issue: SOLR-13647

2019-09-09CVE-2019-12401XML Bomb in Apache Solr versions prior to 5.0

1.3.0-1.4.1

3.1.0-3.6.2

4.0.0-4.10.4

Can only be mitigated with Solr upgrade.

Mailing list announcement

Jira issue: SOLR-13750

2019-07-31CVE-2019-0193Remote Code Execution via DataImportHandlerall up to 8.2.0

Can be mitigated with either a Solr upgrade or a configuration change.


Mailing list announcement

Jira issue: SOLR-13669

2019-03-06CVE-2019-0192Deserialization of untrusted data via jmx.serviceUrl

5.0.0-5.5.5

6.0.0-6.6.5

Can be mitigated with either a Solr upgrade or a configuration change.

Mailing list announcement

Jira issue: SOLR-13301

2019-02-12CVE-2017-3164SSRF issue in Apache Solr1.3.0-7.6.0Can only be mitigated with Solr upgrade.

Mailing list announcement

Jira issue: SOLR-12770

2018-04-08CVE-2018-1308XXE attack through DIH's dataConfig request parameter

1.2-6.6.2

7.0.0-7.2.1

Can be mitigated with either a Solr upgrade or a configuration change.

Mailing list announcement

Jira issue: SOLR-11971

2017-10-26CVE-2016-6809Arbitrary Code Execution Vulnerabilty in Apache Tika

1.2-6.6.1

7.0

This vulnerability is with Apache Tika versions earlier than 1.14.

A Tika dependency update was released in Solr 6.6.2 and Solr 7.1.

Can only be mitigated with Solr upgrade.

Jira issue: SOLR-10335
2017-10-18CVE-2017-12629Several XXE & RCE vulnerabilities in Apache Solr

5.5.0-5.5.4

6.0.0-6.6.1

7.0.0-7.0.1

Can be mitigated with either a Solr upgrade or a configuration change.

Mailing list announcement

Jira issues: SOLR-11482 and SOLR-11477

2017-09-18CVE-2017-9803Vulnerability in Kerberos delegation token functionality6.2.0-6.6.0Can only be mitigated with a Solr upgrade.

Mailing list announcement

Jira issue: SOLR-11184

2017-07-07CVE-2017-7660Vulnerability in secure inter-node communication

5.3.0-5.5.4

6.0.0-6.5.1

Can only be mitigated with a Solr upgrade.

Mailing list announcement

Jira issue: SOLR-10624

2017-02-15CVE-2017-3163ReplicationHandler path traversal attack1.4.0-6.4.0Can only be mitigated with a Solr upgrade.

Mailing list announcement

Jira issue: SOLR-10031

...


Current state of affairs

  • SSL support was added in version 4.2 (SolrCloud v4.7).
  • Protection of Zookeeper content through ACLs was added in version 5.0
  • Authentication and Authorization plugin support was added in 5.2 (SolrCloud only).
    • Several bugs in this support were fixed in 5.3, so it's strongly recommended to use 5.3 or later if this feature is desired. The general recommendation is to always use the latest released version.
  • Basic Auth & Kerberos plugins and Rule-based Authorization plugin was added in 5.3

...