Solr
  1. Solr
  2. SOLR-8262

Comment out /stream handler from sample solrconfig.xml's for security reasons

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 5.1, 5.2, 5.2.1, 5.3, 5.3.1
    • Fix Version/s: 5.4
    • Component/s: None
    • Labels:
      None

      Description

      Solr has apache commons-collections in it's classpath.

      *This makes it vulnerable to this security issue https://issues.apache.org/jira/browse/COLLECTIONS-580.
      *The /stream handler uses Java serialization for RPC since Solr 5.1.

      These two combined leave a security hole in Solr that allows arbitrary code to be executed on the server.

      This ticket will comment out the /stream handler from the sample solrconfig.xml's and add a warning to explain the vulnerability.

        Issue Links

          Activity

          Hide
          Uwe Schindler added a comment -

          +1 please disable this like the remote input streaming apis (stream.body, stream.url & Co.)

          Show
          Uwe Schindler added a comment - +1 please disable this like the remote input streaming apis (stream.body, stream.url & Co.)
          Hide
          Joel Bernstein added a comment - - edited

          The next step is to remove Java serialization from the Streaming API entirely.

          The Streaming API will use only the Streaming Expression language for RPC going forward.

          Show
          Joel Bernstein added a comment - - edited The next step is to remove Java serialization from the Streaming API entirely. The Streaming API will use only the Streaming Expression language for RPC going forward.
          Hide
          ASF subversion and git services added a comment -

          Commit 1713530 from Joel Bernstein in branch 'dev/trunk'
          [ https://svn.apache.org/r1713530 ]

          SOLR-8262: Comment out /stream handler from sample solrconfig.xml's for security reasons

          Show
          ASF subversion and git services added a comment - Commit 1713530 from Joel Bernstein in branch 'dev/trunk' [ https://svn.apache.org/r1713530 ] SOLR-8262 : Comment out /stream handler from sample solrconfig.xml's for security reasons
          Hide
          ASF subversion and git services added a comment -

          Commit 1713547 from Joel Bernstein in branch 'dev/branches/branch_5x'
          [ https://svn.apache.org/r1713547 ]

          SOLR-8262: Comment out /stream handler from sample solrconfig.xml's for security reasons

          Show
          ASF subversion and git services added a comment - Commit 1713547 from Joel Bernstein in branch 'dev/branches/branch_5x' [ https://svn.apache.org/r1713547 ] SOLR-8262 : Comment out /stream handler from sample solrconfig.xml's for security reasons
          Hide
          Jason Gerlowski added a comment -

          For the sake of history:

          This JIRA was resolved by the commits mentioned in the comments above.

          The underlying security issue was then fixed, and the stream handlers were uncommented in SOLR-8266.

          Show
          Jason Gerlowski added a comment - For the sake of history: This JIRA was resolved by the commits mentioned in the comments above. The underlying security issue was then fixed, and the stream handlers were uncommented in SOLR-8266 .
          Hide
          Mark Miller added a comment -

          Joel Bernstein, this a pretty important issue, could you self assign and add the correct fix versions?

          Show
          Mark Miller added a comment - Joel Bernstein , this a pretty important issue, could you self assign and add the correct fix versions?
          Hide
          Joel Bernstein added a comment -

          sure

          Show
          Joel Bernstein added a comment - sure

            People

            • Assignee:
              Joel Bernstein
              Reporter:
              Joel Bernstein
            • Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development