[ https://jira.duraspace.org/browse/DS-858?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Peter Dietz resolved DS-858. ---------------------------- Resolution: Fixed > Multicore SOLR needs prevent remote access to solr cores > -------------------------------------------------------- > > Key: DS-858 > URL: https://jira.duraspace.org/browse/DS-858 > Project: DSpace > Issue Type: Bug > Components: Solr > Affects Versions: 1.7.0 > Reporter: Peter Dietz > Assignee: Mark Diggory > Priority: Major > Fix For: 1.7.1, 1.8.0 > > Attachments: > diff-modules_dspace-solr_trunk_webapp_src_main_webapp_WEB-INF_web.xml-from-r5524-to-r6235.diff > > > Kim Shepherd has noticed that a default installation of DSpace 1.7.0 with no > further security hardening through configuration of Tomcat and Apache HTTPD > will allow remote access to SOLR. This problem was created when Solr went > multicore on DSpace. The security vulnerabilities are that a remote user > could view data in solr (non anonymised usage data, private metadata) that is > typically restricted from remote users. Additionally a malicious user could > alter or delete data in Solr. > The fix for this is included in 1.7.1. Current users of DSpace 1.7.0 can > either upgrade to 1.7.1 as soon as possible, or patch their > [dspace]/webapps/solr/WEB-INF/web.xml with the change made in r6161 > https://fisheye3.atlassian.com/browse/dspace/modules/dspace-solr/trunk/webapp/src/main/webapp/WEB-INF/web.xml?r2=6161&r1=5524 > which moves the filter-mapping for LocalHostRestrictionFilter above > SolrRequestFilter > After patching or upgrading your system, those using Discovery should reindex > their content. > [dspace]/bin/dspace update-discovery-index -f -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.duraspace.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira ------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar _______________________________________________ Dspace-devel mailing list Dspace-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-devel