[Dspace-devel] [DuraSpace JIRA] Commented: (DS-858) Multicore SOLR needs prevent remote access to solr cores

Mon, 28 Mar 2011 11:18:23 -0700 

    [ 
https://jira.duraspace.org/browse/DS-858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19558#action_19558
 ] 

Peter Dietz commented on DS-858:
--------------------------------

The easiest way to fix an affected 1.7.0 instance is to:
Replace [dspace]/webapps/solr/WEB-INF/web.xml with 
http://scm.dspace.org/svn/repo/modules/dspace-solr/tags/dspace-solr-parent-1.4.1.1/webapp/src/main/webapp/WEB-INF/web.xml
Restart tomcat.
For good measure, if you are using Discovery, also be sure to then reindex 
discovery: [dspace]/bin/dspace update-discovery-index -f

> Multicore SOLR needs prevent remote access to solr cores
> --------------------------------------------------------
>
>                 Key: DS-858
>                 URL: https://jira.duraspace.org/browse/DS-858
>             Project: DSpace
>          Issue Type: Bug
>          Components: Solr
>    Affects Versions: 1.7.0
>            Reporter: Kim Shepherd
>            Assignee: Mark Diggory
>            Priority: Major
>             Fix For: 1.7.1, 1.8.0
>
>         Attachments: 
> diff-modules_dspace-solr_trunk_webapp_src_main_webapp_WEB-INF_web.xml-from-r5524-to-r6235.diff
>
>
> Kim Shepherd has noticed that a default installation of DSpace 1.7.0 with no 
> further security hardening through configuration of Tomcat and Apache HTTPD 
> will allow remote access to SOLR. This problem was created when Solr went 
> multicore on DSpace. The security vulnerabilities are that a remote user 
> could view data in solr (non anonymised usage data, private metadata) that is 
> typically restricted from remote users. Additionally a malicious user could 
> alter or delete data in Solr.
> The fix for this is included in 1.7.1. Current users of DSpace 1.7.0 can 
> either upgrade to 1.7.1 as soon as possible, or patch their 
> [dspace]/webapps/solr/WEB-INF/web.xml with the change made in r6161 
> https://fisheye3.atlassian.com/browse/dspace/modules/dspace-solr/trunk/webapp/src/main/webapp/WEB-INF/web.xml?r2=6161&r1=5524
>  which moves the filter-mapping for LocalHostRestrictionFilter above 
> SolrRequestFilter
> After patching or upgrading your system, those using Discovery should reindex 
> their content. 
> [dspace]/bin/dspace update-discovery-index -f

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
https://jira.duraspace.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and publish 
your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________
Dspace-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-devel

Reply via email to