[SOLR-8262] Comment out /stream handler from sample solrconfig.xml's for security reasons - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 5.1, 5.2, 5.2.1, 5.3, 5.3.1
Fix Version/s: 5.4
Component/s: None
Labels:
None

Description

Solr has apache commons-collections in it's classpath.

*This makes it vulnerable to this security issue https://issues.apache.org/jira/browse/COLLECTIONS-580.
*The /stream handler uses Java serialization for RPC since Solr 5.1.

These two combined leave a security hole in Solr that allows arbitrary code to be executed on the server.

This ticket will comment out the /stream handler from the sample solrconfig.xml's and add a warning to explain the vulnerability.

Attachments

Issue Links

relates to

SOLR-8266 Remove Java Serialization from the Streaming API

Closed

Activity

People

Assignee:: Joel Bernstein

Reporter:: Joel Bernstein

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 09/Nov/15 17:45

Updated:: 08/Oct/19 14:51

Resolved:: 04/Feb/16 17:41