Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Duplicate
-
None
-
None
-
None
-
None
Description
Remote streaming is a vulnerability in Solr that allows a user to make Solr talk to arbitrary HTTP servers. It is disabled by default, but easily enabled using config API. This issue is to disable it more properly, at a node level, and add an additional system property per node to disable it by default. To continue using this feature, pass -Denable.remote.streams=true to the startup, and then enable it on a per collection/configset basis as needed.
As per Skay's report https://twitter.com/Skay_00/status/1646870062601756672 remote code execution is possible in unsecured Solr clusters where authentication hasn't been enabled. This ticket is to mitigate one aspect of that, i.e. remote streaming. While our recommendation to all users remains the same, i.e. to secure Solr installations with authentication and authorization, I thank Skay for his detailed report.
Attachments
Attachments
Issue Links
- duplicates
-
SOLR-14853 Make enableRemoteStreaming option global; not configSet
-
- Closed
-
- links to
