[
https://issues.apache.org/jira/browse/RANGER-1942?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Pradeep Agrawal updated RANGER-1942:
------------------------------------
Fix Version/s: (was: 0.7.2)
> Disable xmlparser and configEdit API in Solr for Audit setup
> ------------------------------------------------------------
>
> Key: RANGER-1942
> URL: https://issues.apache.org/jira/browse/RANGER-1942
> Project: Ranger
> Issue Type: Bug
> Components: audit
> Reporter: Kevin Risden
> Priority: Major
>
> AMBARI-22273 addresses this for Ambari Infra Solr. Ranger should do its best
> to protect users from using a config that could be an issue. Solr 5.5.5,
> 6.6.2, and 7.1.0 all fix the below issues.
> A fix for Ranger would be to set the following in solrconfig.xml. Another
> could be to make sure that the documentation for Ranger -> Solr ensures that
> recommended versions are used.
> {code:xml}
> <queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" />
> {code}
> From https://lucene.apache.org/solr/news.html
> * Fix for a 0-day exploit (CVE-2017-12629), details:
> https://s.apache.org/FJDl. RunExecutableListener has been disabled by default
> (can be enabled by -Dsolr.enableRunExecutableListener=true) and resolving
> external entities in the XML query parser (defType=xmlparser or {!xmlparser
> ... }) is disabled by default.
> * Fix for CVE-2017-7660: Security Vulnerability in secure inter-node
> communication in Apache Solr, details: https://s.apache.org/APTY
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
