Details
Description
When configset API is used to upload configsets by unauthenticated users, a "trusted: false" flag is set on the configset. Such configsets cannot use the <lib> directive to load classes while creating/loading collections. Details here: https://solr.apache.org/guide/8_10/configsets-api.html#configsets-upload
Unfortunately, this safety mechanism was bypassed in the schema designer when a isConfigsetTrusted was hardcoded to true. https://github.com/apache/solr/blob/branch_9_1/solr/core/src/java/org/apache/solr/handler/designer/SchemaDesignerConfigSetHelper.java#L697
As per Skay's report https://twitter.com/Skay_00/status/1646870062601756672 remote code execution is possible in unsecured Solr clusters where authentication hasn't been enabled. This ticket is to mitigate one aspect of that, i.e. the schema designer vulnerability. While our recommendation to all users remains the same, i.e. to secure Solr installations with authentication and authorization, I thank Skay for his detailed report.
Attachments
Attachments
Issue Links
- links to