Differences between revisions 4 and 5
Revision 4 as of 2014-04-21 13:37:32
Size: 1268
Editor: ShawnHeisey
Comment: added information suggested by Uwe Schindler and did a little housekeeping.
Revision 5 as of 2014-04-21 13:46:22
Size: 1521
Editor: ShawnHeisey
Comment: further refinement.
Deletions are marked like this. Additions are marked like this.
Line 6: Line 6:
Because Solr is a Java application that runs in an application server, it is rare for a security vulnerability to be found in Solr itself. When a vulnerability is found, it is almost always in either the JVM (java virtual machine) or the servlet container.
Line 10: Line 12:
Solr itself contains no SSL code. Whether or not the overall installation is vulnerable depends on a few factors. The example installation included in the Solr example does not use SSL. Solr itself contains no SSL code. Whether or not the overall installation is vulnerable depends on a few factors. To be vulnerable, all of the following must be true: 1) The servlet container that runs Solr must have SSL enabled. 2) The JVM or the servlet container must use a vulnerable version of OpenSSL.
Line 12: Line 14:
To be vulnerable, all of the following must be true: 1) The servlet container that runs Solr must have SSL enabled. 2) The JVM (Java Virtual Machine) or the servlet container must use a vulnerable version of OpenSSL.

(./) If an installation uses the official Oracle JRE or JDK as the java virtual machine and Jetty or Tomcat as the servlet container, it is NOT vulnerable.
(./) If an installation uses the official Oracle JRE or JDK as the java virtual machine and Jetty or Tomcat as the servlet container, it is NOT vulnerable.  The servlet container included in the Solr download is a stripped-down version of Jetty.

General and well-known vulnerabilities

Because Solr is a Java application that runs in an application server, it is rare for a security vulnerability to be found in Solr itself. When a vulnerability is found, it is almost always in either the JVM (java virtual machine) or the servlet container.

Heartbleed

(./) Solr is not directly vulnerable to the Heartbleed exploit, a security vulnerability in specific versions of OpenSSL.

Solr itself contains no SSL code. Whether or not the overall installation is vulnerable depends on a few factors. To be vulnerable, all of the following must be true: 1) The servlet container that runs Solr must have SSL enabled. 2) The JVM or the servlet container must use a vulnerable version of OpenSSL.

(./) If an installation uses the official Oracle JRE or JDK as the java virtual machine and Jetty or Tomcat as the servlet container, it is NOT vulnerable. The servlet container included in the Solr download is a stripped-down version of Jetty.

/!\ A vulnerability in other java virtual machines and servlet containers is unlikely, but please check with the software vendor to be sure.

/!\ If SSL for Solr is handled by other software or hardware (HTTP proxies in particular), that hardware or software may be using a vulnerable version of OpenSSL. Check with the vendor to be sure.

Vulnerabilities specific to Solr

This section has no available information at this time.

SolrVulnerabilities (last edited 2014-04-21 13:46:22 by ShawnHeisey)