[
https://jira.duraspace.org/browse/DS-858?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tim Donohue updated DS-858:
---------------------------
Description:
Kim Shepherd has noticed that a default installation of DSpace 1.7.0 with no
further security hardening through configuration of Tomcat and Apache HTTPD
will allow remote access to SOLR. This problem was created when Solr went
multicore on DSpace. The security vulnerabilities are that a remote user could
view data in solr (non anonymised usage data, private metadata) that is
typically restricted from remote users. Additionally a malicious user could
alter or delete data in Solr.
The fix for this is included in 1.7.1.
*How to Fix this Issue*
Current users of DSpace 1.7.0 can either upgrade to 1.7.1 as soon as possible
(permanent fix), or replace/patch their existing web.xml file (quick fix)
*Quick Fix*
1. Replace [dspace]/webapps/solr/WEB-INF/web.xml with
http://scm.dspace.org/svn/repo/modules/dspace-solr/tags/dspace-solr-parent-1.4.1.1/webapp/src/main/webapp/WEB-INF/web.xml
2. Restart tomcat.
3. If you are using Discovery, also be sure to then reindex discovery:
[dspace]/bin/dspace update-discovery-index -f
Please note that this quick fix is only temporary. The next time your rebuild
DSpace 1.7.0, DSpace will recreate the unsecure
[dspace]/webapps/solr/WEB-INF/web.xml Therefore, this fix is only recommended
as a temporary way to resolve these issues, until you are able to upgrade to
1.7.1
* Permanent Fix - Upgrade to 1.7.1 *
1. Follow the upgrade instructions at:
https://wiki.duraspace.org/display/DSDOC/Upgrading+a+DSpace+Installation#UpgradingaDSpaceInstallation-Upgradingfrom1.7to1.7.x
2. If you are using Discovery, also be sure to then reindex discovery:
[dspace]/bin/dspace update-discovery-index -f
was:
Kim Shepherd has noticed that a default installation of DSpace 1.7.0 with no
further security hardening through configuration of Tomcat and Apache HTTPD
will allow remote access to SOLR. This problem was created when Solr went
multicore on DSpace. The security vulnerabilities are that a remote user could
view data in solr (non anonymised usage data, private metadata) that is
typically restricted from remote users. Additionally a malicious user could
alter or delete data in Solr.
The fix for this is included in 1.7.1. Current users of DSpace 1.7.0 can either
upgrade to 1.7.1 as soon as possible, or patch their
[dspace]/webapps/solr/WEB-INF/web.xml with the change made in r6161
https://fisheye3.atlassian.com/browse/dspace/modules/dspace-solr/trunk/webapp/src/main/webapp/WEB-INF/web.xml?r2=6161&r1=5524
which moves the filter-mapping for LocalHostRestrictionFilter above
SolrRequestFilter
After patching or upgrading your system, those using Discovery should reindex
their content.
[dspace]/bin/dspace update-discovery-index -f
> Multicore SOLR needs prevent remote access to solr cores
> --------------------------------------------------------
>
> Key: DS-858
> URL: https://jira.duraspace.org/browse/DS-858
> Project: DSpace
> Issue Type: Bug
> Components: Solr
> Affects Versions: 1.7.0
> Reporter: Kim Shepherd
> Assignee: Mark Diggory
> Priority: Major
> Fix For: 1.7.1, 1.8.0
>
> Attachments:
> diff-modules_dspace-solr_trunk_webapp_src_main_webapp_WEB-INF_web.xml-from-r5524-to-r6235.diff
>
>
> Kim Shepherd has noticed that a default installation of DSpace 1.7.0 with no
> further security hardening through configuration of Tomcat and Apache HTTPD
> will allow remote access to SOLR. This problem was created when Solr went
> multicore on DSpace. The security vulnerabilities are that a remote user
> could view data in solr (non anonymised usage data, private metadata) that is
> typically restricted from remote users. Additionally a malicious user could
> alter or delete data in Solr.
> The fix for this is included in 1.7.1.
> *How to Fix this Issue*
> Current users of DSpace 1.7.0 can either upgrade to 1.7.1 as soon as possible
> (permanent fix), or replace/patch their existing web.xml file (quick fix)
> *Quick Fix*
> 1. Replace [dspace]/webapps/solr/WEB-INF/web.xml with
> http://scm.dspace.org/svn/repo/modules/dspace-solr/tags/dspace-solr-parent-1.4.1.1/webapp/src/main/webapp/WEB-INF/web.xml
> 2. Restart tomcat.
> 3. If you are using Discovery, also be sure to then reindex discovery:
> [dspace]/bin/dspace update-discovery-index -f
> Please note that this quick fix is only temporary. The next time your rebuild
> DSpace 1.7.0, DSpace will recreate the unsecure
> [dspace]/webapps/solr/WEB-INF/web.xml Therefore, this fix is only
> recommended as a temporary way to resolve these issues, until you are able to
> upgrade to 1.7.1
> * Permanent Fix - Upgrade to 1.7.1 *
> 1. Follow the upgrade instructions at:
> https://wiki.duraspace.org/display/DSDOC/Upgrading+a+DSpace+Installation#UpgradingaDSpaceInstallation-Upgradingfrom1.7to1.7.x
> 2. If you are using Discovery, also be sure to then reindex discovery:
> [dspace]/bin/dspace update-discovery-index -f
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.duraspace.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself;
WebMatrix provides all the features you need to develop and publish
your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________
Dspace-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-devel
