Re: Vulnerability on solr port

This also means that if Solr is reachable from the outside via reverse proxy (this should never happen btw) the issue can be mitigated by configuring the reverse proxy with the internal network Solr hostname instead of the internal network ip address. On Fri, Apr 8, 2022 at 8:42 AM Vincenzo D'Am

Re: Vulnerability on solr port

I agree that a relative redirect without the ip/hostname of the server, and not even the port should solve the security issue in a fairly simple way. Just another thing I tried to do a couple of calls by myself: curl -vv localhost:8983/ 7 err < HTTP/1.1 302 Found < Loc

Re: High CPU utilisation on Solr-8.11.0

Thanks Walter for your reply. Yes it is the same disk shared on all instances. Thanks, Modassar On Fri, Apr 8, 2022 at 10:54 AM Walter Underwood wrote: > Are you sharing the same disk volume on all instances? I would expect that > to be slow and cause index corruption. Each instance should have

Re: High CPU utilisation on Solr-8.11.0

Are you sharing the same disk volume on all instances? I would expect that to be slow and cause index corruption. Each instance should have its own disk volumes. I’m looking at this part of your config. Storage : Multi-attach EBS Volume. Provisioned IOPS SSD (io1) with 3000 IOPS. wunder Walter

Re: High CPU utilisation on Solr-8.11.0

Hi, I tried a few different settings of GC and observed the following. The best result I got with the following environment and GC settings but still it is comparatively slower than the previous Solr-6.5.1 setup. Total index : 4+ TB Servers : 3 instances of x2gd.4xlarge systems each having 16 CPU

Re: Solr as a dedicated data store?

On 4/7/2022 8:41 PM, James Greene wrote: This is actually why people abandon solr for elastic/opensearch. Solrs core contributors hold little value in supporting migration paths and stability with-in so it's always a heavy cost to users for upgrades. At a fundamental level, because ES and Solr

Re: Solr as a dedicated data store?

I mean to only encourage focus on stability between releases and offer migration path options. I AM a fan boy of technology that offers an easier path of adoption/maintainability over its competitors. On Thu, Apr 7, 2022, 11:11 PM Gus Heck wrote: > It's not shocking that there are differences a

Re: Solr as a dedicated data store?

It's not shocking that there are differences among products. If that feature is your favorite, use elastic. There are other features... and licensing which matters to some. Amazon's effort is interesting, but will it persist? When Oracle bought Mysql AB a site named dorsal source dot org (don't' go

Re: Solr as a dedicated data store?

On 4/7/2022 8:03 PM, Dave wrote: I seem to recall hearing that this was actually enforced by the code but I didn't find the check on a quick look through the code Lucene began recording the version that writes a segment at some point in 6.x, I have no idea which specific release. I know that

Re: Solr as a dedicated data store?

> so that we can be free to make improvements without having to carry an ever growing weight of back compatibility This is actually why people abandon solr for elastic/opensearch. Solrs core contributors hold little value in supporting migration paths and stability with-in so it's always a heavy

Re: Vulnerability on solr port

Are you assigning internal dns names to your solr servers? This possibly will allow the redirect to use the internal dns name instead, likely fooling the CVE checker program :) Just a thought on what to try if the checker-runner folks are not understanding types. As noted by the above folks, simpl

Re: Solr as a dedicated data store?

This is one of the most interesting and articulate emails I’ve read about the fundamentals in a long time. Saving this one :) > On Apr 7, 2022, at 9:32 PM, Gus Heck wrote: > > Solr is not a "good" primary data store. Solr is built for finding your > documents, not storing them. A good primary

Re: Solr as a dedicated data store?

Solr is not a "good" primary data store. Solr is built for finding your documents, not storing them. A good primary data store holds stuff indefinitely without adding weight and without changing regularly, Solr doesn't fit that description. One of the biggest reasons for this is that at some point

Re: Vulnerability on solr port

On 2022-04-07 6:18 PM, matthew sporleder wrote: Yes I agree the point of the "vulnerability" is that an http 1.0 request (does not require a Host header) will cause the origin to guess what it should put in the Location header. In some cases that guess is the ip of the server. In an http 1.1 or

Re: Vulnerability on solr port

Yes I agree the point of the "vulnerability" is that an http 1.0 request (does not require a Host header) will cause the origin to guess what it should put in the Location header. In some cases that guess is the ip of the server. In an http 1.1 or higher request the host header is used. I don'

Re: Vulnerability on solr port

“IP address of the original server” Is exactly the problem. A solr server doesn’t/shouldn’t have an up address that exists outside of the internal network. So even if it didn’t get an IP it would have no vulnerabilities since, it’s not a real ip. The only people or machines that can touch ot are

Re: Vulnerability on solr port

I don't think this is the point and I agree that Solr should not be accessible from the outside world but only from a restricted number of clients. So in my opinion, the OP was trying to explain that, for example, if you make an http call to solr through a reverse proxy (or a chain of) with the pa

Re: Vulnerability on solr port

On 2022-04-07 9:56 AM, Anchal Sharma2 wrote: Hi All, It took me a while to get the following information about the detected vulnerability from the security team . ... Maybe you should educate them about a vulnerability in the `ping` command: if they ping your solr server by its name, it'll t

Re: Vulnerability on solr port

On 4/7/2022 8:56 AM, Anchal Sharma2 wrote: The CVE number is CVE-2000-0649. https://nvd.nist.gov/vuln/detail/CVE-2000-0649 Can anyone suggest some fixes for the said vulnerability ? NVD - CVE-2000-0649 Current Description . IIS 4.0 allows remote

Re: Vulnerability on solr port

Yes, this looks like an IIS problem. IIS is on version 10, "Current Description . IIS 4.0 allows remote.." there is no reason IIS 4.0 should be running, ever On Thu, Apr 7, 2022 at 3:00 PM Jan Høydahl wrote: > Hi, > > Solr is not a web server that is accessible to someone on the outside o

Re: Vulnerability on solr port

Hi, Solr is not a web server that is accessible to someone on the outside of your firewall. I.e. users on the outside will never issue requests direclty or indirectly directly to Solr, unless you have exposed the raw Solr server through a simple reverse proxy or similar, which is a big no-no. W

RE: Vulnerability on solr port

Hi All, It took me a while to get the following information about the detected vulnerability from the security team .The officially used security tool was able to exploit the issue using the following request : GET / HTTP/1.0 Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Co

solrj getBeans method does not get child element

Hi everyone , solrj getBeans method does not get child documents if we provide nested_path below is my nested path configuration. ``` ``` and this part skipped science there the path name did not match to a Solr Document public SolrDocument readSolrDocument(DataInputInputStream dis) throws IO

Re: solr relatedness weirdness on json facet function

Thanks Michael, that may well be the issue! I need to reorder the chain and thanks for the suggestion on the WordDelimiterGraphFilter which I'll look into as well. On Wed, 6 Apr 2022 at 17:14, Michael Gibney wrote: > I think the behavior you're seeing is a consequence of the fact that you're > a

Re: Apache Solr on FreeBSD

I don't think we have official nightly tests on FreeBSD, and no install-script support. So the risk is that e.g. bin/solr start script may be more likely to have bugs than on linux. However, many devs use macOS which is BSD based, and the start scripts support that... As long as you have a curr

Apache Solr on FreeBSD

Does Apache Solr work out of the box on FreeBSD? Does the Solr project officially support running Solr on FreeBSD? Or is Solr only for Linux, macOS, and Windows?