[
https://jira.duraspace.org/browse/DS-858?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tim Donohue updated DS-858:
---------------------------
Comment: was deleted
(was: The easiest way to fix an affected 1.7.0 instance is to:
Replace [dspace]/webapps/solr/WEB-INF/web.xml with
http://scm.dspace.org/svn/repo/modules/dspace-solr/tags/dspace-solr-parent-1.4.1.1/webapp/src/main/webapp/WEB-INF/web.xml
Restart tomcat.
For good measure, if you are using Discovery, also be sure to then reindex
discovery: [dspace]/bin/dspace update-discovery-index -f)
> Multicore SOLR needs prevent remote access to solr cores
> --------------------------------------------------------
>
> Key: DS-858
> URL: https://jira.duraspace.org/browse/DS-858
> Project: DSpace
> Issue Type: Bug
> Components: Solr
> Affects Versions: 1.7.0
> Reporter: Kim Shepherd
> Assignee: Mark Diggory
> Priority: Major
> Fix For: 1.7.1, 1.8.0
>
> Attachments:
> diff-modules_dspace-solr_trunk_webapp_src_main_webapp_WEB-INF_web.xml-from-r5524-to-r6235.diff
>
>
> Kim Shepherd has noticed that a default installation of DSpace 1.7.0 with no
> further security hardening through configuration of Tomcat and Apache HTTPD
> will allow remote access to SOLR. This problem was created when Solr went
> multicore on DSpace. The security vulnerabilities are that a remote user
> could view data in solr (non anonymised usage data, private metadata) that is
> typically restricted from remote users. Additionally a malicious user could
> alter or delete data in Solr.
> The fix for this is included in 1.7.1.
> *How to Fix this Issue*
> Current users of DSpace 1.7.0 can either upgrade to 1.7.1 as soon as possible
> (permanent fix), or replace/patch their existing web.xml file (quick fix)
> *Quick Fix*
> 1. Replace [dspace]/webapps/solr/WEB-INF/web.xml with
> http://scm.dspace.org/svn/repo/modules/dspace-solr/tags/dspace-solr-parent-1.4.1.1/webapp/src/main/webapp/WEB-INF/web.xml
> 2. Restart tomcat.
> 3. If you are using Discovery, also be sure to then reindex discovery:
> [dspace]/bin/dspace update-discovery-index -f
> Please note that this quick fix is only temporary. The next time you rebuild
> DSpace 1.7.0 (by running 'ant update'), DSpace will re-install the unsecure
> version of [dspace]/webapps/solr/WEB-INF/web.xml Therefore, this fix is only
> recommended as a temporary way to resolve these issues, until you are able to
> upgrade to 1.7.1
> * Permanent Fix - Upgrade to 1.7.1 *
> 1. Follow the upgrade instructions at:
> https://wiki.duraspace.org/display/DSDOC/Upgrading+a+DSpace+Installation#UpgradingaDSpaceInstallation-Upgradingfrom1.7to1.7.x
> 2. If you are using Discovery, also be sure to then reindex discovery:
> [dspace]/bin/dspace update-discovery-index -f
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.duraspace.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself;
WebMatrix provides all the features you need to develop and publish
your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________
Dspace-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-devel
