[
https://jira.duraspace.org/browse/DS-858?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tim Donohue updated DS-858:
---------------------------
Description:
Kim Shepherd has noticed that a default installation of DSpace 1.7.0 with no
further security hardening through configuration of Tomcat and Apache HTTPD
will allow remote access to SOLR. This problem was created when Solr went
multicore on DSpace. The security vulnerabilities are that a remote user could
view data in solr (non anonymised usage data, private metadata) that is
typically restricted from remote users. Additionally a malicious user could
alter or delete data in Solr.
The fix for this is included in 1.7.1.
*How to Fix this Issue*
Current users of DSpace 1.7.0 can either upgrade to 1.7.1 as soon as possible
(permanent fix), or replace/patch their existing web.xml file (quick fix)
*Quick Fix*
1. Replace [dspace]/webapps/solr/WEB-INF/web.xml with
http://scm.dspace.org/svn/repo/modules/dspace-solr/tags/dspace-solr-parent-1.4.1.1/webapp/src/main/webapp/WEB-INF/web.xml
2. Restart tomcat.
3. If you are using Discovery, also be sure to then reindex discovery:
[dspace]/bin/dspace update-discovery-index -f
Please note that this quick fix is only temporary. The next time you rebuild
DSpace 1.7.0 (by running 'ant update'), DSpace will re-install the unsecure
version of [dspace]/webapps/solr/WEB-INF/web.xml Therefore, this fix is only
recommended as a temporary way to resolve these issues, until you are able to
upgrade to 1.7.1
* Permanent Fix - Upgrade to 1.7.1 *
1. Follow the upgrade instructions at:
https://wiki.duraspace.org/display/DSDOC/Upgrading+a+DSpace+Installation (As
DSpace 1.7.1 is a bug-fix only release, it requires no modifications to your
1.7.0 database structure or configuration files. Most users upgrading from
1.7.0 to 1.7.1 should find this upgrade to be relatively painless, as it should
not affect existing 1.7.0 customizations or configurations.)
2. If you are using Discovery, also be sure to then reindex discovery:
[dspace]/bin/dspace update-discovery-index -f
was:
Kim Shepherd has noticed that a default installation of DSpace 1.7.0 with no
further security hardening through configuration of Tomcat and Apache HTTPD
will allow remote access to SOLR. This problem was created when Solr went
multicore on DSpace. The security vulnerabilities are that a remote user could
view data in solr (non anonymised usage data, private metadata) that is
typically restricted from remote users. Additionally a malicious user could
alter or delete data in Solr.
The fix for this is included in 1.7.1.
*How to Fix this Issue*
Current users of DSpace 1.7.0 can either upgrade to 1.7.1 as soon as possible
(permanent fix), or replace/patch their existing web.xml file (quick fix)
*Quick Fix*
1. Replace [dspace]/webapps/solr/WEB-INF/web.xml with
http://scm.dspace.org/svn/repo/modules/dspace-solr/tags/dspace-solr-parent-1.4.1.1/webapp/src/main/webapp/WEB-INF/web.xml
2. Restart tomcat.
3. If you are using Discovery, also be sure to then reindex discovery:
[dspace]/bin/dspace update-discovery-index -f
Please note that this quick fix is only temporary. The next time you rebuild
DSpace 1.7.0 (by running 'ant update'), DSpace will re-install the unsecure
version of [dspace]/webapps/solr/WEB-INF/web.xml Therefore, this fix is only
recommended as a temporary way to resolve these issues, until you are able to
upgrade to 1.7.1
* Permanent Fix - Upgrade to 1.7.1 *
1. Follow the upgrade instructions at:
https://wiki.duraspace.org/display/DSDOC/Upgrading+a+DSpace+Installation#UpgradingaDSpaceInstallation-Upgradingfrom1.7to1.7.x
2. If you are using Discovery, also be sure to then reindex discovery:
[dspace]/bin/dspace update-discovery-index -f
> Multicore SOLR needs prevent remote access to solr cores
> --------------------------------------------------------
>
> Key: DS-858
> URL: https://jira.duraspace.org/browse/DS-858
> Project: DSpace
> Issue Type: Bug
> Components: Solr
> Affects Versions: 1.7.0
> Reporter: Kim Shepherd
> Assignee: Mark Diggory
> Priority: Major
> Fix For: 1.7.1, 1.8.0
>
> Attachments:
> diff-modules_dspace-solr_trunk_webapp_src_main_webapp_WEB-INF_web.xml-from-r5524-to-r6235.diff
>
>
> Kim Shepherd has noticed that a default installation of DSpace 1.7.0 with no
> further security hardening through configuration of Tomcat and Apache HTTPD
> will allow remote access to SOLR. This problem was created when Solr went
> multicore on DSpace. The security vulnerabilities are that a remote user
> could view data in solr (non anonymised usage data, private metadata) that is
> typically restricted from remote users. Additionally a malicious user could
> alter or delete data in Solr.
> The fix for this is included in 1.7.1.
> *How to Fix this Issue*
> Current users of DSpace 1.7.0 can either upgrade to 1.7.1 as soon as possible
> (permanent fix), or replace/patch their existing web.xml file (quick fix)
> *Quick Fix*
> 1. Replace [dspace]/webapps/solr/WEB-INF/web.xml with
> http://scm.dspace.org/svn/repo/modules/dspace-solr/tags/dspace-solr-parent-1.4.1.1/webapp/src/main/webapp/WEB-INF/web.xml
> 2. Restart tomcat.
> 3. If you are using Discovery, also be sure to then reindex discovery:
> [dspace]/bin/dspace update-discovery-index -f
> Please note that this quick fix is only temporary. The next time you rebuild
> DSpace 1.7.0 (by running 'ant update'), DSpace will re-install the unsecure
> version of [dspace]/webapps/solr/WEB-INF/web.xml Therefore, this fix is only
> recommended as a temporary way to resolve these issues, until you are able to
> upgrade to 1.7.1
> * Permanent Fix - Upgrade to 1.7.1 *
> 1. Follow the upgrade instructions at:
> https://wiki.duraspace.org/display/DSDOC/Upgrading+a+DSpace+Installation (As
> DSpace 1.7.1 is a bug-fix only release, it requires no modifications to your
> 1.7.0 database structure or configuration files. Most users upgrading from
> 1.7.0 to 1.7.1 should find this upgrade to be relatively painless, as it
> should not affect existing 1.7.0 customizations or configurations.)
> 2. If you are using Discovery, also be sure to then reindex discovery:
> [dspace]/bin/dspace update-discovery-index -f
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.duraspace.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself;
WebMatrix provides all the features you need to develop and publish
your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________
Dspace-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-devel
