lucene-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ishan Chattopadhyaya (Jira)" <j...@apache.org>
Subject [jira] [Created] (SOLR-13984) Solr should run inside a SecurityManager
Date Sat, 30 Nov 2019 15:50:00 GMT
Ishan Chattopadhyaya created SOLR-13984:
-------------------------------------------

             Summary: Solr should run inside a SecurityManager
                 Key: SOLR-13984
                 URL: https://issues.apache.org/jira/browse/SOLR-13984
             Project: Solr
          Issue Type: Improvement
      Security Level: Public (Default Security Level. Issues are Public)
            Reporter: Ishan Chattopadhyaya


To reduce the effect of attacks, esp. RCE, Solr should run inside a SecurityManager.

Quoting Uwe here:
{quote}
The correct way to fix all issues we have seen the last time is very simple: LET'S RUN SOLR
INSIDE A SECURITY MANAGER IN PRODUCTION (like in tests). Elasticsearch is doing this, so please
please let's do this instead. But this requires to finally get rid of the webapplication and
start.jar and add our own bootstrapping (like in tests) that configure Jetty and Security
Manager from our own org.apache.solr.bootstrap.Main.java (or similar).
{quote}

https://jira.apache.org/jira/browse/SOLR-12316?focusedCommentId=16465038&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16465038



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org


Mime
View raw message