Kevin Risden created RANGER-1942:
------------------------------------
Summary: Disable xmlparser and configEdit API in Solr for Audit
setup
Key: RANGER-1942
URL: https://issues.apache.org/jira/browse/RANGER-1942
Project: Ranger
Issue Type: Bug
Components: audit
Reporter: Kevin Risden
AMBARI-22273 addresses this for Ambari Infra Solr. Ranger should do its best to
protect users from using a config that could be an issue. Solr 5.5.5, 6.6.2,
and 7.1.0 all fix the below issues. The fix for Ranger would be to set the
following in solrconfig.xml.
{code:xml}
<queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" />
{code}
>From https://lucene.apache.org/solr/news.html
* Fix for a 0-day exploit (CVE-2017-12629), details: https://s.apache.org/FJDl.
RunExecutableListener has been disabled by default (can be enabled by
-Dsolr.enableRunExecutableListener=true) and resolving external entities in the
XML query parser (defType=xmlparser or {!xmlparser ... }) is disabled by
default.
* Fix for CVE-2017-7660: Security Vulnerability in secure inter-node
communication in Apache Solr, details: https://s.apache.org/APTY
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
