lucene-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Muir (Jira)" <>
Subject [jira] [Commented] (SOLR-13978) Remove bloat from default configset
Date Mon, 02 Dec 2019 09:51:00 GMT


Robert Muir commented on SOLR-13978:

according to the email sent to users:

This vulnerability is only available to attackers if these conditions are
in place:

1. You have not disabled the Config API, or do not restrict access to the
Config API via authentication/authorization settings
2. You allow connections to Solr APIs from outside your firewall

You can mitigate this vulnerability right now by setting the system
parameter “-Ddisable.configEdit=true” and restarting Solr. If you already
have secured Solr behind a firewall and you have authentication for all
users in place, then we believe your risk of this bug is very low. If you
don’t use the Config API, we’d recommend disabling it even if you have a
firewall and authentication in place.

This is backwards: dangerous stuff shouldn't be enabled by default with the onus on the user
to disable it. Can we disable this Config API by default here too?

> Remove bloat from default configset
> -----------------------------------
>                 Key: SOLR-13978
>                 URL:
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Ishan Chattopadhyaya
>            Priority: Blocker
>             Fix For: 8.4
> We need to review and remove all components that are not essential for search, indexing
and other core functionality. Velocity, DIH, etc. should be reviewed.
> (Marking this as a 8.4 release blocker).

This message was sent by Atlassian Jira

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message