...
Table of Contents |
---|
Security Announcements
Warning |
---|
If you believe you have discovered a vulnerability in Lucene or Solr, please follow these ASF guidelines for reporting it. |
For each CVE listed below, please be sure to read the mailing list announcement for full details and mitigation steps.
Date | CVE | Title | Impacted Versions | Mitigation | Links |
---|---|---|---|---|---|
2019-11-18 | CVE-2019-12409 | RCE vulnerability due to bad config default | 8.1.1-8.2.0 | Can be mitigated with either a Solr upgrade or a configuration change. | Jira issue: SOLR-13647 |
2019-09-09 | CVE-2019-12401 | XML Bomb in Apache Solr versions prior to 5.0 | 1.3.0-1.4.1 3.1.0-3.6.2 4.0.0-4.10.4 | Can only be mitigated with Solr upgrade. | Jira issue: SOLR-13750 |
2019-07-31 | CVE-2019-0193 | Remote Code Execution via DataImportHandler | all up to 8.2.0 | Can be mitigated with either a Solr upgrade or a configuration change. | Jira issue: SOLR-13669 |
2019-03-06 | CVE-2019-0192 | Deserialization of untrusted data via jmx.serviceUrl | 5.0.0-5.5.5 6.0.0-6.6.5 | Can be mitigated with either a Solr upgrade or a configuration change. | Jira issue: SOLR-13301 |
2019-02-12 | CVE-2017-3164 | SSRF issue in Apache Solr | 1.3.0-7.6.0 | Can only be mitigated with Solr upgrade. | Jira issue: SOLR-12770 |
2018-04-08 | CVE-2018-1308 | XXE attack through DIH's dataConfig request parameter | 1.2-6.6.2 7.0.0-7.2.1 | Can be mitigated with either a Solr upgrade or a configuration change. | Jira issue: SOLR-11971 |
2017-10-26 | CVE-2016-6809 | Arbitrary Code Execution Vulnerabilty in Apache Tika | 1.2-6.6.1 7.0 | This vulnerability is with Apache Tika versions earlier than 1.14. A Tika dependency update was released in Solr 6.6.2 and Solr 7.1. Can only be mitigated with Solr upgrade. | Jira issue: SOLR-10335 |
2017-10-18 | CVE-2017-12629 | Several XXE & RCE vulnerabilities in Apache Solr | 5.5.0-5.5.4 6.0.0-6.6.1 7.0.0-7.0.1 | Can be mitigated with either a Solr upgrade or a configuration change. | Jira issues: SOLR-11482 and SOLR-11477 |
2017-09-18 | CVE-2017-9803 | Vulnerability in Kerberos delegation token functionality | 6.2.0-6.6.0 | Can only be mitigated with a Solr upgrade. | Jira issue: SOLR-11184 |
2017-07-07 | CVE-2017-7660 | Vulnerability in secure inter-node communication | 5.3.0-5.5.4 6.0.0-6.5.1 | Can only be mitigated with a Solr upgrade. | Jira issue: SOLR-10624 |
2017-02-15 | CVE-2017-3163 | ReplicationHandler path traversal attack | 1.4.0-6.4.0 | Can only be mitigated with a Solr upgrade. | Jira issue: SOLR-10031 |
...
Current state of affairs
- SSL support was added in version 4.2 (SolrCloud v4.7).
- Protection of Zookeeper content through ACLs was added in version 5.0
- Authentication and Authorization plugin support was added in 5.2 (SolrCloud only).
- Several bugs in this support were fixed in 5.3, so it's strongly recommended to use 5.3 or later if this feature is desired. The general recommendation is to always use the latest released version.
- Basic Auth & Kerberos plugins and Rule-based Authorization plugin was added in 5.3
...