Hi Team, Currently we are facing the below vulnerability for Apache Solr tool. So can you please check the below details and help us to fix this issue.
/etc/init.d/solr-master version Server version: Apache Tomcat/7.0.62 Server built: May 7 2015 17:14:55 UTC Server number: 7.0.62.0 OS Name: Linux OS Version: 2.6.32-431.29.2.el6.x86_64 Architecture: amd64 JVM Version: 1.8.0_20-b26 JVM Vendor: Oracle Corporation "solr-spec-version":"4.10.4", Solr is an enterprise search platform.<P> Solr is prone to remote code execution vulnerability. <P> Affected Versions:<BR> Apache Solr version prior to 6.6.2 and prior to 7.1.0<P> QID Detection Logic (Unauthenticated):<BR> This QID sends specifically crafted request which include special entities in the xml document and looks for the vulnerable response.<BR> Alternatively, in another check, this QID matches vulnerable versions in the response webpage Successful exploitation allows attacker to execute arbitrary code. The vendor has issued updated packages to fix this vulnerability. <P>For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories :<BR><A HREF="https://lucene.apache.org/solr/news.html"; TARGET="_blank">Apache Solr 6.6.2</A> For more information regarding the update can be found at <A HREF="https://lucene.apache.org/solr/news.html"; TARGET="_blank">Apache Solr 7.1.0</A>. <P>Patch:<BR> Following are links for downloading patches to fix the vulnerabilities: <P> <A HREF="https://lucene.apache.org/solr/news.html"; TARGET="_blank">Apache Solr 6.6.2</A><P> <A HREF="https://lucene.apache.org/solr/news.html"; TARGET="_blank">Apache Solr 7.1.0</A> Thanks... Wasim Shaikh ________________________________ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. ______________________________________________________________________________________ www.accenture.com
