[ https://issues.apache.org/jira/browse/SOLR-13750?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16927908#comment-16927908 ]
Dean Shapira commented on SOLR-13750: ------------------------------------- [~tomasflobbe] can you please refer to the relevant GitHub Issue/Commit with the fix of this security issue? > [CVE-2019-12401] XML Bomb in Apache Solr versions prior to 5.0.0 > ---------------------------------------------------------------- > > Key: SOLR-13750 > URL: https://issues.apache.org/jira/browse/SOLR-13750 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Affects Versions: 1.3, 1.4, 1.4.1, 3.1, 3.2, 3.3, 3.4, 3.5, 3.6, 3.6.1, > 3.6.2, 4.0, 4.1, 4.2, 4.2.1, 4.3, 4.3.1, 4.4, 4.5, 4.5.1, 4.6, 4.6.1, 4.7, > 4.7.1, 4.7.2, 4.8, 4.8.1, 4.9, 4.9.1, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4 > Reporter: Tomás Fernández Löbbe > Priority: Major > Fix For: 5.0 > > > Severity: Medium > Vendor: The Apache Software Foundation > Versions Affected: > 1.3.0 to 1.4.1 > 3.1.0 to 3.6.2 > 4.0.0 to 4.10.4 > Description: > Solr versions prior to 5.0.0 are vulnerable to an XML resource consumption > attack (a.k.a. Lol Bomb) via it’s update handler. > By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create > a pattern that will expand when the server parses the XML causing OOMs. > Mitigation: > * Upgrade to Apache Solr 5.0 or later. > * Ensure your network settings are configured so that only trusted traffic > is allowed to post documents to the running Solr instances. > Credit: > Matei "Mal" Badanoiu -- This message was sent by Atlassian Jira (v8.3.2#803003) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org