Skip to end of metadata
Go to start of metadata

Solr Security

The authoritative guide on implementing security is in the Solr Reference Guide. This page describes security features in general, but also provides information about CVEs that have been patched or dependencies which do not require a patch for Solr.

Also refer to the news section on the Solr Web page.

Security Announcements

If you believe you have discovered a vulnerability in Lucene or Solr, please follow these ASF guidelines for reporting it.

For each CVE listed below, please be sure to read the mailing list announcement for full details and mitigation steps.

DateCVETitleImpacted VersionsMitigationLinks
2019-12-30CVE-2019-17558RCE vulnerability through VelocityResponseWriter5.0.0-8.3.1Can only be mitigated with either Solr upgrade or a configuration change.
2019-11-18CVE-2019-12409RCE vulnerability due to bad config default8.1.1-8.2.0Can be mitigated with either a Solr upgrade or a configuration change.

Mailing list announcement

Jira issue:  SOLR-13647 - Getting issue details... STATUS

2019-09-09CVE-2019-12401XML Bomb in Apache Solr versions prior to 5.0

1.3.0-1.4.1

3.1.0-3.6.2

4.0.0-4.10.4

Can only be mitigated with Solr upgrade.

Mailing list announcement

Jira issue: SOLR-13750

2019-07-31CVE-2019-0193Remote Code Execution via DataImportHandlerall up to 8.2.0

Can be mitigated with either a Solr upgrade or a configuration change.


Mailing list announcement

Jira issue: SOLR-13669

2019-03-06CVE-2019-0192Deserialization of untrusted data via jmx.serviceUrl

5.0.0-5.5.5

6.0.0-6.6.5

Can be mitigated with either a Solr upgrade or a configuration change.

Mailing list announcement

Jira issue: SOLR-13301

2019-02-12CVE-2017-3164SSRF issue in Apache Solr1.3.0-7.6.0Can only be mitigated with Solr upgrade.

Mailing list announcement

Jira issue: SOLR-12770

2018-04-08CVE-2018-1308XXE attack through DIH's dataConfig request parameter

1.2-6.6.2

7.0.0-7.2.1

Can be mitigated with either a Solr upgrade or a configuration change.

Mailing list announcement

Jira issue: SOLR-11971

2017-10-26CVE-2016-6809Arbitrary Code Execution Vulnerabilty in Apache Tika

1.2-6.6.1

7.0

This vulnerability is with Apache Tika versions earlier than 1.14.

A Tika dependency update was released in Solr 6.6.2 and Solr 7.1.

Can only be mitigated with Solr upgrade.

Jira issue: SOLR-10335
2017-10-18CVE-2017-12629Several XXE & RCE vulnerabilities in Apache Solr

5.5.0-5.5.4

6.0.0-6.6.1

7.0.0-7.0.1

Can be mitigated with either a Solr upgrade or a configuration change.

Mailing list announcement

Jira issues: SOLR-11482 and SOLR-11477

2017-09-18CVE-2017-9803Vulnerability in Kerberos delegation token functionality6.2.0-6.6.0Can only be mitigated with a Solr upgrade.

Mailing list announcement

Jira issue: SOLR-11184

2017-07-07CVE-2017-7660Vulnerability in secure inter-node communication

5.3.0-5.5.4

6.0.0-6.5.1

Can only be mitigated with a Solr upgrade.

Mailing list announcement

Jira issue: SOLR-10624

2017-02-15CVE-2017-3163ReplicationHandler path traversal attack1.4.0-6.4.0Can only be mitigated with a Solr upgrade.

Mailing list announcement

Jira issue: SOLR-10031


Need for firewall

Even though you add SSL or Authentication plugins, it is still strongly recommended that the application server containing Solr be firewalled such the only clients with access to Solr are your own. A default/example installation of Solr allows any client with access to it to add, update, and delete documents (and of course search/read too), including access to the Solr configuration and schema files and the administrative user interface.

If there is a need to provide query access to a Solr server from the open internet, it is highly recommended to use a proxy, such as one of these.

Cross-Site Request Forgery (CSRF)

Even if a Solr instance is protected by good firewalls so that "bad guys" have no direct access, that instance may be at risk to potential "Cross-Site Request Forgery" based attacks if the following are all true:

  1. Some number of "good guys" have direct access to that Solr instance from their web browsers.
  2. A "bad guy" knows/guesses the host:port/path of the Solr instance (even though they can not access it directly)
  3. The bad guy can trick one of the good guy into clicking a maliciously crafted URL, or loading a webpage that contains malicious javascript.

This is because Solr's most basic behavior is to receive updates and deletes via HTTP. If you have a firewall or other security measure restricting Solr's /update handler so it only accepts connections from approved hosts/clients, but you are approved then you could inadvertently be tricked into loading a web page that initiates an HTTP Connection to Solr on your behalf.

It's important to keep this in mind when thinking about what it means to "secure" an instance of Solr (if you have not already).

A basic technique that can be used to mitigate the risk of a possible CSRF attack like this is to configure your Servlet Container so that access to paths which can modify the index (ie: /update, /update/csv, etc...) are restricted either to specific client IPs, or using HTTP Authentication.

Streaming Consideration

If streaming is enabled, you need to make sure Solr is as secure as it needs to be. When streaming is enabled, the parameters "stream.url" will go to a remote site and download the content. Likewise, "stream.file" will read a file on disk.

Streaming is disabled by default and is configured from solrconfig.xml

  <requestParsers enableRemoteStreaming="false" ... />

Indirect compromise through Tika vulnerabilities

One of the contrib modules that Solr includes is called SolrCell. This module adds the Extracting Request Handler. This component utilizes Apache Tika to parse rich documents like PDF and Microsoft Office and index the document contents into Solr.

The Tika software has had some security vulnerabilities. It would be theoretically possible for an attacker to upload a specially crafted file to be processed by Tika running inside Solr, or to trick an administrator into uploading such a file, and in that way compromise the Solr install.

For reasons not related to security, it is strongly recommended that this contrib module is never used in production. Tika can crash, and if such a crash happens in the SolrCell module, Solr will crash too. If that advice is followed, it would be very difficult to utilize Tika vulnerabilities to compromise Solr.

Solr and Vulnerability Scanning Tools

Many organizations have policies where software to be installed on the network must pass an examination by a vulnerability scanner which attempts to determine if there are known vulnerabilities in the application.

Solr includes many dependencies which may trigger warnings from a vulnerability scan but which the Lucene/Solr community has determined that they are false positives. As a general rule, the Lucene PMC will not accept the output of a vulnerability scan as a security report.

The following table lists the dependencies and associated CVEs which are not considered problems for Lucene or Solr.

Solr Versions

Jar or Path

Related CVEs

Date Added

Status & Notes

5.4.0-today

carrot2-guava-18.0.jar

2018-10237

31 Dec 2018

Only used with the Carrot2 clustering engine.

4.9.0-7.5.0

commons-beanutils-1.8.3.jar

2014-0114

6 Jun 2018

This is only used at compile time and it cannot be used to attack Solr. Since it is generally unnecessary, the dependency has been removed as of 7.5.0. See SOLR-12617.

8.0.0-8.3.0commons-beanutils-1.9.3.jar 2019-1008621 Nov 2019While commons-beanutils was removed in 7.5, it was added back in 8.0 in error and removed again in 8.3. The vulnerable class was not used in any Solr code path. This jar remains a dependency of both Velocity and hadoop-common, but Solr does not use it in our implementations.

4.6.0-today

commons-compress (only as part of Ant 1.8.2)

2012-2098, 2018-1324, 2018-11771

31 Dec 2018

Only used in test framework and at build time.

4.6.0-today

derby-10.9.1.0.jar


3 Nov 2018

Used only in DataImportHandler tests and example implementation, which should not be used in production.

4.6.0-today

dom4j-1.6.1.jar

2018-1000632

31 Dec 2018

Only used in Solr tests.

4.6.0-today

guava-14.0.1.jar

2018-10237

31 Dec 2018

??

6.6.1-7.6.0

hadoop-auth-2.7.4.jar, hadoop-hdfs-2.7.4.jar (all Hadoop)

2017-15718

6 Jun 2018

Does not impact Solr because Solr uses Hadoop as a client library.

6.0.0-7.5.0

icu4j-56.1.jar, icu4j-59.1.jar

2017-14952

6 Jun 2018

Issue applies only to the C++ release of ICU and not ICU4J, which is what Lucene uses. ICU4J is at v63.2 as of Lucene/Solr 7.6.0

4.7.0-today

jackson-databind-*.jar (versions prior to 2.10.0)

2017-15095, 2017-17485, 2017-7525, 2018-5968, 2018-7489, 2019-12086, 2019-12384, 2018-12814, 2019-14379, 2019-14439

2019-14540, 2019-16335

6 Jun 2018

These CVEs, and most of the known jackson-databind CVEs since 2017, are all related to problematic “gadgets” that could be exploited during deserialization of untrusted data. The Jackson developers described 4 conditions that must be met in order for a problematic gadget to be exploited. See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.

Solr’s use of jackson-databind does not meet 1 of the 4 conditions described which makes these CVEs unexploitable.

The specific condition that Solr does not meet is the 3rd one: “Enable polymorphic type handling…” Solr does not include any polymorphic type handling, and Solr does not configure jackson-databind de/serialization to expect or include class names in serialized JSON.

Two CVEs, 14540 & 16335, are related to HikariConfig and HikariDataSource classes, neither of which are used in Solr's code base.

7.7.0-8.2jetty-9.4.142019-10241, 2019-1024718 Oct 2019Solr upgraded to Jetty 9.4.19 for the 8.2 release. Additionally, the path to exploit these vulnerabilities was fixed in 8.1 and 7.7.2. Earlier versions can manually patch their configurations as described in SOLR-13409.

4.6.0-7.6.0

junit-4.10.jar

2018-1000056

31 Dec 2018

JUnit only used in tests; CVE only refers to a Jenkins plugin not used by Solr.

7.3.1

lucene-analyzers-icu-7.3.1.jar

2014-7940, 2016-6293, 2016-7415, 2017-14952, 2017-17484, 2017-7867, 2017-7868

6 Jun 2018

All of these issues apply to the C++ release of ICU and not ICU4J, which is what Lucene uses.

8.2-8.3netty-all-4.1.29.Final.jar 2019-1686921 Nov 2019This is not included in Solr but is a dependency of ZooKeeper 3.5.5. The version was upgraded in ZooKeeper 3.5.6, included with Solr 8.3. The specific classes mentioned in the CVE are not used in Solr (nor in ZooKeeper as far as the Solr community can determine).

5.2.0-today

org.restlet-2.3.0.jar

2017-14868, 2017-14949

31 Dec 2018

Solr should not be exposed outside a firewall where bad actors can send HTTP requests.

These two CVEs specifically involve classes (SimpleXMLProvider and XmlRepresentation, respectively) that Solr does not use in any code path.

6.5.0-today

protobuf-java-3.1.0.jar

2015-5237

3 Nov 2018

Dependency for Hadoop and Calcite. ??

5.4.0-7.7.2, 8.0-8.3

simple-xml-2.7.1.jar

2018-1471

3 Jan 2019

Dependency of Carrot2 and used during compilation, not at runtime (see SOLR-769).

This .jar was replaced in Solr 8.3 and backported to 7.7.3 (see SOLR-13779).

4.x-today

slf4j-api-1.7.24.jar, jcl-over-slf4j-1.7.24.jar, jul-to-slf4j-1.7.24.jar

2018-8088

6 Feb 2019

The reported CVE impacts org.slf4j.ext.EventData, which is not used in Solr.

7.3.1-7.5.0

tika-core.1.17.jar (and earlier)

2018-1335

6 Jun 2018

Solr does not run tika-server, so this is not a problem.

7.3.1-7.5.0

tika-core.1.17.jar (and earlier)

2018-1338, 2018-1339

6 Jun 2018

These issues would only be exploitable if untrusted files are indexed with SolrCell. This is not recommended in production systems as indicated above. Additionally, Solr upgraded to Tika 1.18 in Solr 7.4.

6.6.2-today

velocity-tools-2.0.jar contains Apache Struts 2.0.0

link to CVEs

3 Nov 2018

Solr does not ship a Struts jar. This is a transitive POM listing and not included with Solr (see comment in SOLR-2849).

5.5.5, 6.2.0-today

vorbis-java-tika-0.8.jar

2016-6809, 2018-1335, 2018-1338, 2018-1339

6 Jun 2018

See

https://github.com/Gagravarr/VorbisJava/issues/30

; reported CVEs are not related to OggVorbis at all.

~2.9-today

xercesImpl-2.9.1.jar

2012-0881

6 Jun 2018

Only used in Lucene Benchmarks and Solr tests.

  • No labels