Uploaded image for project: 'DSpace'
  1. DSpace
  2. DS-858

Multicore SOLR needs prevent remote access to solr cores

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.7.0
    • Fix Version/s: 1.7.1, 1.8.0
    • Component/s: Solr
    • Labels:
      None
    • Attachments:
      1
    • Comments:
      0
    • Documentation Status:
      In Description

      Description

      Kim Shepherd has noticed that a default installation of DSpace 1.7.0 with no further security hardening through configuration of Tomcat and Apache HTTPD will allow remote access to SOLR. This problem was created when Solr went multicore on DSpace. The security vulnerabilities are that a remote user could view data in solr (non anonymised usage data, private metadata) that is typically restricted from remote users. Additionally a malicious user could alter or delete data in Solr.

      The fix for this is included in 1.7.1.

      How to Fix this Issue

      Current users of DSpace 1.7.0 can either upgrade to 1.7.1 as soon as possible (permanent fix), or replace/patch their existing web.xml file (quick fix)

      Quick Fix

      1. Replace [dspace]/webapps/solr/WEB-INF/web.xml with http://scm.dspace.org/svn/repo/modules/dspace-solr/tags/dspace-solr-parent-1.4.1.1/webapp/src/main/webapp/WEB-INF/web.xml
      2. Restart tomcat.
      3. If you are using Discovery, also be sure to then reindex discovery: [dspace]/bin/dspace update-discovery-index -f

      Please note that this quick fix is only temporary. The next time you rebuild DSpace 1.7.0 (by running 'ant update'), DSpace will re-install the unsecure version of [dspace]/webapps/solr/WEB-INF/web.xml Therefore, this fix is only recommended as a temporary way to resolve these issues, until you are able to upgrade to 1.7.1

      • Permanent Fix - Upgrade to 1.7.1 *

      1. Follow the upgrade instructions at: https://wiki.duraspace.org/display/DSDOC/Upgrading+a+DSpace+Installation (As DSpace 1.7.1 is a bug-fix only release, it requires no modifications to your 1.7.0 database structure or configuration files. Most users upgrading from 1.7.0 to 1.7.1 should find this upgrade to be relatively painless, as it should not affect existing 1.7.0 customizations or configurations.)
      2. If you are using Discovery, also be sure to then reindex discovery: [dspace]/bin/dspace update-discovery-index -f

        Attachments

          Activity

          There are no comments yet on this issue.

            People

            • Assignee:
              mdiggory Mark Diggory
              Reporter:
              kshepherd Kim Shepherd
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: