...
The authoritative guide on implementing security is in the Solr Reference Guide. This page describes security features in general, but also provides information about CVEs that have been patched or dependencies which do not require a patch for Solr.
Also refer to the Reported vulnerabilities (CVEs) are listed on the security news section on the Solr Web page's website.
Table of Contents |
---|
...
Warning |
---|
If you believe you have discovered a vulnerability in Lucene or Solr, please follow these ASF guidelines for reporting it. |
For each CVE listed below, please be sure to read the mailing list announcement for full details and mitigation steps.
...
6.6.0 to 6.6.5
7.0.0 to 7.7.3
8.0.0 to 8.6.2
...
Jira issues: SOLR-14925 and SOLR-14663
...
...
Jira issues: SOLR-13971 and SOLR-14025
...
Jira issue:
Jira | ||||||||
---|---|---|---|---|---|---|---|---|
|
...
1.3.0-1.4.1
3.1.0-3.6.2
4.0.0-4.10.4
...
Can only be mitigated with Solr upgrade.
...
Jira issue: SOLR-13750
...
Can be mitigated with either a Solr upgrade or a configuration change.
...
Jira issue: SOLR-13669
...
5.0.0-5.5.5
6.0.0-6.6.5
...
Jira issue: SOLR-13301
...
Jira issue: SOLR-12770
...
1.2-6.6.2
7.0.0-7.2.1
...
Jira issue: SOLR-11971
...
1.2-6.6.1
7.0
...
This vulnerability is with Apache Tika versions earlier than 1.14.
A Tika dependency update was released in Solr 6.6.2 and Solr 7.1.
Can only be mitigated with Solr upgrade.
...
5.5.0-5.5.4
6.0.0-6.6.1
7.0.0-7.0.1
...
. |
...
Jira issues: SOLR-11482 and SOLR-11477
...
Jira issue: SOLR-11184
...
5.3.0-5.5.4
6.0.0-6.5.1
...
Jira issue: SOLR-10624
...
...
Need for firewall
Even though you add SSL or Authentication plugins, it is still strongly recommended that the application server containing Solr be firewalled such the only clients with access to Solr are your own. A default/example installation of Solr allows any client with access to it to add, update, and delete documents (and of course search/read too), including access to the Solr configuration and schema files and the administrative user interface.
...