[ https://issues.apache.org/jira/browse/RANGER-1942?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kevin Risden updated RANGER-1942: --------------------------------- Fix Version/s: 0.7.2 > Disable xmlparser and configEdit API in Solr for Audit setup > ------------------------------------------------------------ > > Key: RANGER-1942 > URL: https://issues.apache.org/jira/browse/RANGER-1942 > Project: Ranger > Issue Type: Bug > Components: audit > Reporter: Kevin Risden > Fix For: 0.7.2 > > > AMBARI-22273 addresses this for Ambari Infra Solr. Ranger should do its best > to protect users from using a config that could be an issue. Solr 5.5.5, > 6.6.2, and 7.1.0 all fix the below issues. > A fix for Ranger would be to set the following in solrconfig.xml. Another > could be to make sure that the documentation for Ranger -> Solr ensures that > recommended versions are used. > {code:xml} > <queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" /> > {code} > From https://lucene.apache.org/solr/news.html > * Fix for a 0-day exploit (CVE-2017-12629), details: > https://s.apache.org/FJDl. RunExecutableListener has been disabled by default > (can be enabled by -Dsolr.enableRunExecutableListener=true) and resolving > external entities in the XML query parser (defType=xmlparser or {!xmlparser > ... }) is disabled by default. > * Fix for CVE-2017-7660: Security Vulnerability in secure inter-node > communication in Apache Solr, details: https://s.apache.org/APTY -- This message was sent by Atlassian JIRA (v6.4.14#64029)