[Dspace-devel] [DuraSpace JIRA] Resolved: (DS-858) Multicore SOLR needs prevent remote access to solr cores

Fri, 25 Mar 2011 11:07:35 -0700 

     [ 
https://jira.duraspace.org/browse/DS-858?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Peter Dietz resolved DS-858.
----------------------------

    Resolution: Fixed

> Multicore SOLR needs prevent remote access to solr cores
> --------------------------------------------------------
>
>                 Key: DS-858
>                 URL: https://jira.duraspace.org/browse/DS-858
>             Project: DSpace
>          Issue Type: Bug
>          Components: Solr
>    Affects Versions: 1.7.0
>            Reporter: Peter Dietz
>            Assignee: Mark Diggory
>            Priority: Major
>             Fix For: 1.7.1, 1.8.0
>
>         Attachments: 
> diff-modules_dspace-solr_trunk_webapp_src_main_webapp_WEB-INF_web.xml-from-r5524-to-r6235.diff
>
>
> Kim Shepherd has noticed that a default installation of DSpace 1.7.0 with no 
> further security hardening through configuration of Tomcat and Apache HTTPD 
> will allow remote access to SOLR. This problem was created when Solr went 
> multicore on DSpace. The security vulnerabilities are that a remote user 
> could view data in solr (non anonymised usage data, private metadata) that is 
> typically restricted from remote users. Additionally a malicious user could 
> alter or delete data in Solr.
> The fix for this is included in 1.7.1. Current users of DSpace 1.7.0 can 
> either upgrade to 1.7.1 as soon as possible, or patch their 
> [dspace]/webapps/solr/WEB-INF/web.xml with the change made in r6161 
> https://fisheye3.atlassian.com/browse/dspace/modules/dspace-solr/trunk/webapp/src/main/webapp/WEB-INF/web.xml?r2=6161&r1=5524
>  which moves the filter-mapping for LocalHostRestrictionFilter above 
> SolrRequestFilter
> After patching or upgrading your system, those using Discovery should reindex 
> their content. 
> [dspace]/bin/dspace update-discovery-index -f

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
https://jira.duraspace.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software 
be a part of the solution? Download the Intel(R) Manageability Checker 
today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________
Dspace-devel mailing list
Dspace-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-devel

Reply via email to