Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-8262

Comment out /stream handler from sample solrconfig.xml's for security reasons

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 5.1, 5.2, 5.2.1, 5.3, 5.3.1
    • 5.4
    • None
    • None

    Description

      Solr has apache commons-collections in it's classpath.

      *This makes it vulnerable to this security issue https://issues.apache.org/jira/browse/COLLECTIONS-580.
      *The /stream handler uses Java serialization for RPC since Solr 5.1.

      These two combined leave a security hole in Solr that allows arbitrary code to be executed on the server.

      This ticket will comment out the /stream handler from the sample solrconfig.xml's and add a warning to explain the vulnerability.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            jbernste Joel Bernstein
            jbernste Joel Bernstein
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment