lucene-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Smiley (Jira)" <>
Subject [jira] [Resolved] (SOLR-13669) [CVE-2019-0193] Remote Code Execution via DataImportHandler
Date Sat, 30 Nov 2019 05:04:00 GMT


David Smiley resolved SOLR-13669.
    Fix Version/s: 8.2.0
       Resolution: Fixed

> [CVE-2019-0193] Remote Code Execution via DataImportHandler
> -----------------------------------------------------------
>                 Key: SOLR-13669
>                 URL:
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: contrib - DataImportHandler
>            Reporter: Michael Stepankin
>            Assignee: David Smiley
>            Priority: Major
>             Fix For: 8.2.0, 8.1.2
> The DataImportHandler, an optional but popular module to pull in data from databases
and other sources, has a feature in which the whole DIH configuration can come from a request's
"dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient
debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter
is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting
the Java System property "enable.dih.dataConfigParam" to true.
> Mitigations:
> * Upgrade to 8.2.0 or later, which is secure by default.
> * or, edit solrconfig.xml to configure all DataImportHandler usages with an "invariants"
section listing the "dataConfig" parameter set to am empty string.  
> * Ensure your network settings are configured so that only trusted traffic communicates
with Solr, especially to the DIH request handler.  This is a best practice to all of Solr.
> Credits:
> * Michael Stepankin
> References:
> *
> *

This message was sent by Atlassian Jira

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message