Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
AMBARI-22273 addresses this for Ambari Infra Solr. Ranger should do its best to protect users from using a config that could be an issue. Solr 5.5.5, 6.6.2, and 7.1.0 all fix the below issues.
A fix for Ranger would be to set the following in solrconfig.xml. Another could be to make sure that the documentation for Ranger -> Solr ensures that recommended versions are used.
<queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" />
From https://lucene.apache.org/solr/news.html
- Fix for a 0-day exploit (CVE-2017-12629), details: https://s.apache.org/FJDl. RunExecutableListener has been disabled by default (can be enabled by -Dsolr.enableRunExecutableListener=true) and resolving external entities in the XML query parser (defType=xmlparser or
{!xmlparser ... }
) is disabled by default.
- Fix for CVE-2017-7660: Security Vulnerability in secure inter-node communication in Apache Solr, details: https://s.apache.org/APTY
Attachments
Issue Links
- relates to
-
AMBARI-22273 Disable xmlparser and configEdit API in Infra Solr by default
- Resolved