ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kevin Risden (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (RANGER-1942) Disable xmlparser and configEdit API in Solr for Audit setup
Date Thu, 21 Dec 2017 19:15:00 GMT

     [ https://issues.apache.org/jira/browse/RANGER-1942?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Kevin Risden updated RANGER-1942:
---------------------------------
    Description: 
AMBARI-22273 addresses this for Ambari Infra Solr. Ranger should do its best to protect users
from using a config that could be an issue. Solr 5.5.5, 6.6.2, and 7.1.0 all fix the below
issues.

A fix for Ranger would be to set the following in solrconfig.xml. Another could be to make
sure that the documentation for Ranger -> Solr ensures that recommended versions are used.

{code:xml}
<queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" />
{code}

>From https://lucene.apache.org/solr/news.html
* Fix for a 0-day exploit (CVE-2017-12629), details: https://s.apache.org/FJDl. RunExecutableListener
has been disabled by default (can be enabled by -Dsolr.enableRunExecutableListener=true) and
resolving external entities in the XML query parser (defType=xmlparser or {!xmlparser ...
}) is disabled by default.
* Fix for CVE-2017-7660: Security Vulnerability in secure inter-node communication in Apache
Solr, details: https://s.apache.org/APTY

  was:
AMBARI-22273 addresses this for Ambari Infra Solr. Ranger should do its best to protect users
from using a config that could be an issue. Solr 5.5.5, 6.6.2, and 7.1.0 all fix the below
issues. The fix for Ranger would be to set the following in solrconfig.xml.

{code:xml}
<queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" />
{code}

>From https://lucene.apache.org/solr/news.html
* Fix for a 0-day exploit (CVE-2017-12629), details: https://s.apache.org/FJDl. RunExecutableListener
has been disabled by default (can be enabled by -Dsolr.enableRunExecutableListener=true) and
resolving external entities in the XML query parser (defType=xmlparser or {!xmlparser ...
}) is disabled by default.
* Fix for CVE-2017-7660: Security Vulnerability in secure inter-node communication in Apache
Solr, details: https://s.apache.org/APTY


> Disable xmlparser and configEdit API in Solr for Audit setup
> ------------------------------------------------------------
>
>                 Key: RANGER-1942
>                 URL: https://issues.apache.org/jira/browse/RANGER-1942
>             Project: Ranger
>          Issue Type: Bug
>          Components: audit
>            Reporter: Kevin Risden
>
> AMBARI-22273 addresses this for Ambari Infra Solr. Ranger should do its best to protect
users from using a config that could be an issue. Solr 5.5.5, 6.6.2, and 7.1.0 all fix the
below issues.
> A fix for Ranger would be to set the following in solrconfig.xml. Another could be to
make sure that the documentation for Ranger -> Solr ensures that recommended versions are
used.
> {code:xml}
> <queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" />
> {code}
> From https://lucene.apache.org/solr/news.html
> * Fix for a 0-day exploit (CVE-2017-12629), details: https://s.apache.org/FJDl. RunExecutableListener
has been disabled by default (can be enabled by -Dsolr.enableRunExecutableListener=true) and
resolving external entities in the XML query parser (defType=xmlparser or {!xmlparser ...
}) is disabled by default.
> * Fix for CVE-2017-7660: Security Vulnerability in secure inter-node communication in
Apache Solr, details: https://s.apache.org/APTY



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message