Kim Shepherd has noticed that a default installation of DSpace 1.7.0 with no further security hardening through configuration of Tomcat and Apache HTTPD will allow remote access to SOLR. This problem was created when Solr went multicore on DSpace. The security vulnerabilities are that a remote user could view data in solr (non anonymised usage data, private metadata) that is typically restricted from remote users. Additionally a malicious user could alter or delete data in Solr.
The fix for this is included in 1.7.1.
How to Fix this Issue
Current users of DSpace 1.7.0 can either upgrade to 1.7.1 as soon as possible (permanent fix), or replace/patch their existing web.xml file (quick fix)
1. Replace [dspace]/webapps/solr/WEB-INF/web.xml with http://scm.dspace.org/svn/repo/modules/dspace-solr/tags/dspace-solr-parent-18.104.22.168/webapp/src/main/webapp/WEB-INF/web.xml
2. Restart tomcat.
3. If you are using Discovery, also be sure to then reindex discovery: [dspace]/bin/dspace update-discovery-index -f
Please note that this quick fix is only temporary. The next time you rebuild DSpace 1.7.0 (by running 'ant update'), DSpace will re-install the unsecure version of [dspace]/webapps/solr/WEB-INF/web.xml Therefore, this fix is only recommended as a temporary way to resolve these issues, until you are able to upgrade to 1.7.1
- Permanent Fix - Upgrade to 1.7.1 *
1. Follow the upgrade instructions at: https://wiki.duraspace.org/display/DSDOC/Upgrading+a+DSpace+Installation (As DSpace 1.7.1 is a bug-fix only release, it requires no modifications to your 1.7.0 database structure or configuration files. Most users upgrading from 1.7.0 to 1.7.1 should find this upgrade to be relatively painless, as it should not affect existing 1.7.0 customizations or configurations.)
2. If you are using Discovery, also be sure to then reindex discovery: [dspace]/bin/dspace update-discovery-index -f