Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-8262

Comment out /stream handler from sample solrconfig.xml's for security reasons

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.1, 5.2, 5.2.1, 5.3, 5.3.1
    • Fix Version/s: 5.4
    • Component/s: None
    • Labels:
      None

      Description

      Solr has apache commons-collections in it's classpath.

      *This makes it vulnerable to this security issue https://issues.apache.org/jira/browse/COLLECTIONS-580.
      *The /stream handler uses Java serialization for RPC since Solr 5.1.

      These two combined leave a security hole in Solr that allows arbitrary code to be executed on the server.

      This ticket will comment out the /stream handler from the sample solrconfig.xml's and add a warning to explain the vulnerability.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                joel.bernstein Joel Bernstein
                Reporter:
                joel.bernstein Joel Bernstein
              • Votes:
                0 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: