...
The authoritative guide on implementing security is in the Solr Reference Guide. This page describes security features in general, but also provides information about CVEs that have been patched or dependencies which do not require a patch for Solr.
| Table of Contents |
|---|
Reported vulnerabilities (CVEs) are listed on the security news section on Solr's website.
Known false positives, which used to be listed on this wiki page, are also now listed on the Security web page.
| Table of Contents |
|---|
...
| Warning |
|---|
If you believe you have discovered a vulnerability in Lucene or Solr, please follow these ASF guidelines for reporting it. |
For each CVE listed below, please be sure to read the mailing list announcement for full details and mitigation steps.
...
Jira issue: SOLR-13647
...
1.3.0-1.4.1
3.1.0-3.6.2
4.0.0-4.10.4
...
Can only be mitigated with Solr upgrade.
...
Jira issue: SOLR-13750
...
Can be mitigated with either a Solr upgrade or a configuration change.
...
Jira issue: SOLR-13669
...
. |
...
6.0.0-6.6.5
...
Jira issue: SOLR-13301
...
Jira issue: SOLR-12770
...
1.2-6.6.2
7.0.0-7.2.1
...
Jira issue: SOLR-11971
...
1.2-6.6.1
7.0
...
This vulnerability is with Apache Tika versions earlier than 1.14.
A Tika dependency update was released in Solr 6.6.2 and Solr 7.1.
Can only be mitigated with Solr upgrade.
...
5.5.0-5.5.4
6.0.0-6.6.1
7.0.0-7.0.1
...
Jira issues: SOLR-11482 and SOLR-11477
...
Jira issue: SOLR-11184
...
5.3.0-5.5.4
6.0.0-6.5.1
...
Jira issue: SOLR-10624
...
Jira issue: SOLR-10031
Current state of affairs
- SSL support was added in version 4.2 (SolrCloud v4.7).
- Protection of Zookeeper content through ACLs was added in version 5.0
- Authentication and Authorization plugin support was added in 5.2 (SolrCloud only).
- Several bugs in this support were fixed in 5.3, so it's strongly recommended to use 5.3 or later if this feature is desired. The general recommendation is to always use the latest released version.
- Basic Auth & Kerberos plugins and Rule-based Authorization plugin was added in 5.3
There is (as of 5.3) no role-based restrictions on the Admin UI, so be aware that anyone with access to Admin UI will be able to do anything with your system.
Need for firewall
Even though you add SSL or Authentication plugins, it is still strongly recommended that the application server containing Solr be firewalled such the only clients with access to Solr are your own. A default/example installation of Solr allows any client with access to it to add, update, and delete documents (and of course search/read too), including access to the Solr configuration and schema files and the administrative user interface.
If there is a need to provide query access to a Solr server from the open internet, it is highly recommended to use a proxy, such as one of these.
Cross-Site
...
Solr has no known cross-site scripting vulnerabilities.
Quick XSS tip:
Problem: What if you want the browser to highlight text, but you also want to protect yourself from XSS and escape the HTML output? Solution: One solution is to escape the HTML output and then reapply the em tags. Now the rest of the snippet is safe and the browser will recognize the highlighted text.
For example, with groovy/grails you could have the following in your controller:
| No Format |
|---|
snippet = snippet.encodeAsHTML()
snippet = snippet.replaceAll('<em>', '<em>')
snippet = snippet.replaceAll('</em>', </em>)
|
Cross-Site Request Forgery (CSRF)
Even if a Solr instance is protected by good firewalls so that "bad guys" have no direct access, that instance may be at risk to potential "Cross-Site Request Forgery" based attacks if the following are all true:
...
A basic technique that can be used to mitigate the risk of a possible CSRF attack like this is to configure your Servlet Container so that access to paths which can modify the index (ie: /update, /update/csv, etc...) are restricted either to specific client IPs, or using HTTP Authentication.
Document Level Security
Manifold CF (Connector Framework)
One way to add document level security to your search is through Apache ManifoldCF. ManifoldCF "defines a security model for target repositories that permits them to enforce source-repository security policies".
It works by adding security tokens from the source repositories as metadata on the indexed documents. Then, at query time, a Search Component adds a filter to all queries, matching only documents the logged-in user is allowed to see. ManifoldCF supports AD security out of the box.
Write Your Own RequestHandler or SearchComponent
*Stub - this is incomplete*
If ManifoldCF does not solve your need, first consider writing a ManifoldCF plugin. Or roll your own.
If you need permission based authentication – where user A can update document 1 and 2, but not 3 – you will need to augment the request with user information. Either you can add parameters to the query string (?u=XXX&p=YYY) or use a custom dispatcher filter that augments the context:
...
...
public class CustomDispatchFilter extends SolrDispatchFilter
{
@Override
protected void execute( HttpServletRequest req, SolrRequestHandler handler, SolrQueryRequest sreq, SolrQueryResponse rsp)
{
// perhaps the whole request
sreq.getContext().put( "HttpServletRequest", req );
// or maybe just the user
sreq.getContext().put( "user", req.getRemoteUser());
core.execute( handler, sreq, rsp );
}
}
public class AuthenticatingHandler extends RequestHandlerBase
{
@Override
public void handleRequestBody(SolrQueryRequest req, SolrQueryResponse rsp) throws Exception {
HttpServletRequest httpreq = (HttpServletRequest)
req.getContext().get( "HttpServletRequest" );
if( httpreq.isUserInRole( "editor" ) ) {
...
}
String user = (String)req.getContext().get( "user" );
...
}
...
}
Streaming Consideration
If streaming is enabled, you need to make sure Solr is as secure as it needs to be. When streaming is enabled, the parameters "stream.url" will go to a remote site and download the content. Likewise, "stream.file" will read a file on disk.
Streaming is disabled by default and is configured from solrconfig.xml
| No Format |
|---|
<requestParsers enableRemoteStreaming="false" ... />
|
...
Solr includes many dependencies which may trigger warnings from a vulnerability scan but which the Lucene/ Solr community has determined that they are false positives. As a general rule, the Lucene Solr PMC will not accept the output of a vulnerability scan as a security report.
The following table lists the dependencies and associated CVEs which are not considered problems for Lucene or Solr.
...
Solr Versions
...
Jar or Path
...
Related CVEs
...
Date Added
...
Status & Notes
...
5.4.0-today
...
carrot2-guava-18.0.jar
...
2018-10237
...
31 Dec 2018
...
Only used with the Carrot2 clustering engine.
...
.
...
...
commons-beanutils-1.8.3.jar
...
2014-0114
...
6 Jun 2018
...
See
...
4.6.0-today
...
commons-compress (only as part of Ant 1.8.2)
...
2012-2098, 2018-1324, 2018-11771
...
31 Dec 2018
...
Only used in test framework and at build time.
...
4.6.0-today
...
derby-10.9.1.0.jar
...
3 Nov 2018
...
Used only in DataImportHandler tests and example implementation, which should not be used in production.
...
4.6.0-today
...
dom4j-1.6.1.jar
...
2018-1000632
...
31 Dec 2018
...
Only used in Solr tests.
...
4.6.0-today
...
guava-14.0.1.jar
...
2018-10237
...
31 Dec 2018
...
??
...
6.6.1-7.6.0
...
hadoop-auth-2.7.4.jar, hadoop-hdfs-2.7.4.jar (all Hadoop)
...
...
6 Jun 2018
...
Does not impact Solr because Solr uses Hadoop as a client library.
...
6.0.0-7.5.0
...
icu4j-56.1.jar, icu4j-59.1.jar
...
2017-14952
...
6 Jun 2018
...
Issue applies only to the C++ release of ICU and not ICU4J, which is what Lucene uses. ICU4J is at v63.2 as of Lucene/Solr 7.6.0
...
4.7.0-today
...
jackson-databind-*.jar (versions prior to 2.10.0)
...
2017-15095, 2017-17485, 2017-7525, 2018-5968, 2018-7489, 2019-12086, 2019-12384, 2018-12814, 2019-14379, 2019-14439
2019-14540, 2019-16335
...
6 Jun 2018
...
Two CVEs, 14540 & 16335, are related to HikariConfig and HikariDataSource classes, neither of which are used in Solr's code base.
...
4.6.0-7.6.0
...
junit-4.10.jar
...
2018-1000056
...
31 Dec 2018
...
JUnit only used in tests; CVE only refers to a Jenkins plugin not used by Solr.
...
7.3.1
...
lucene-analyzers-icu-7.3.1.jar
...
2014-7940, 2016-6293, 2016-7415, 2017-14952, 2017-17484, 2017-7867, 2017-7868
...
6 Jun 2018
...
All of these issues apply to the C++ release of ICU and not ICU4J, which is what Lucene uses.
...
5.2.0-today
...
org.restlet-2.3.0.jar
...
2017-14868, 2017-14949
...
31 Dec 2018
...
Solr should not be exposed outside a firewall where bad actors can send HTTP requests.
These two CVEs specifically involve classes (SimpleXMLProvider and XmlRepresentation, respectively) that Solr does not use in any code path.
...
6.5.0-today
...
protobuf-java-3.1.0.jar
...
...
3 Nov 2018
...
Dependency for Hadoop and Calcite. ??
...
5.4.0-today
...
simple-xml-2.7.1.jar
...
2018-1471
...
3 Jan 2019
...
Dependency of Carrot2 and used during compilation, not at runtime (see SOLR-769).
...
4.x-today
...
slf4j-api-1.7.24.jar, jcl-over-slf4j-1.7.24.jar, jul-to-slf4j-1.7.24.jar
...
2018-8088
...
6 Feb 2019
...
The reported CVE impacts org.slf4j.ext.EventData, which is not used in Solr.
...
7.3.1-7.5.0
...
tika-core.1.17.jar (and earlier)
...
2018-1335
...
6 Jun 2018
...
Solr does not run tika-server, so this is not a problem.
...
7.3.1-7.5.0
...
tika-core.1.17.jar (and earlier)
...
2018-1338, 2018-1339
...
6 Jun 2018
...
These issues would only be exploitable if untrusted files are indexed with SolrCell. This is not recommended in production systems as indicated above. Additionally, Solr upgraded to Tika 1.18 in Solr 7.4.
...
6.6.2-today
...
velocity-tools-2.0.jar contains Apache Struts 2.0.0
...
...
3 Nov 2018
...
Solr does not ship a Struts jar. This is a transitive POM listing and not included with Solr (see comment in SOLR-2849).
...
5.5.5, 6.2.0-today
...
vorbis-java-tika-0.8.jar
...
2016-6809, 2018-1335, 2018-1338, 2018-1339
...
6 Jun 2018
...
See
...
; reported CVEs are not related to OggVorbis at all.
...
~2.9-today
...
xercesImpl-2.9.1.jar
...
...
6 Jun 2018
...
the web site Security page for more details on Solr's security status. NOTE: The table that used to be on this page is now on the web site