SOLR vulnerabilities in v6 (and v5!)?

33 views
Skip to first unread message

Michael White

unread,
Apr 11, 2024, 7:52:16 AM4/11/24
to DSpace Tech

Hi,

 

We have 2 DSpace repositories – our main IR, which is DSpace v6.2, and a Data repository, which is DSpace v5.2 (yes, I know, both well out of support and neither is the latest version on their respective branches!) – both using the JSP UI – both are (very) heavily customised, which makes upgrades hard (so can’t just pop on the latest v6 or v5 releases) . . .

 

A colleague from our infrastructure team has contacted me as their vulnerability scanning software has identified issues with SOLR (on both systems), and he has asked me if it possible to upgrade SOLR on those servers to (hopefully!) eradicate the identified vulnerabilities.

 

This is the list he sent me:

 

Apache Solr: CVE-2017-3164: SSRF issue in Apache Solr

Apache Solr: CVE-2019-0193: Apache Solr, Remote Code Execution via DataImportHandler

Apache Solr: CVE-2019-12401: XML Bomb in Apache Solr versions prior to 5.0

Apache Solr: CVE-2020-13941: Apache Solr information disclosure vulnerability

Apache Solr: CVE-2021-27905: SSRF vulnerability with the Replication handler

Apache Solr: CVE-2021-29262: Misapplied Zookeeper ACLs can result in leakage of configured authentication and authorization settings

Apache Solr: CVE-2021-29943: Apache Solr Unprivileged users may be able to perform unauthorized read/write to collections

 

Does anyone know if DSpace v6.2 and/or v5.2 are vulnerable to any of these, or know where I can look to find out – I tried searching the DSpace documentation/release notes/mailing list but didn’t find any mention of any of these, but I could just not be looking in the right place! (or maybe that means DSpace is not vulnerable?) . . .

 

And, if any of these vulnerabilities are exploitable in either version v6.2 or v5.2, does anyone know any way to resolve the issues in a “light touch” way (i.e. without doing a full upgrade) – e.g. “just” change the version number(s) in the (SOLR) POM, or apply this or that patch/diff (to update bits of DSpace that are affected) . . . ?

 

Of course, the upgrade to v7 (or even v8!) is still on my to do list, but it’s still a way down the road due to other priorities, so I need to patch/fudge my way round this for the time being (assuming any of these are an issue of course!) . . .

 

Any information, pointers, or suggestions that anyone may have would be very welcome.

 

Cheers,

 

Mike

 

Michael White
Senior Developer
Product Development

Information Services
University of Stirling
Stirling
FK9 4LA

Tel: +44 (0) 1786 466877
Email: michael.white@stir.ac.uk
Web: Information Services

 

My normal working hours are: Mon-Fri, 8.30-4.30

Facebook icon X icon Instagram icon Youtbue icon

Banner

 

 

Scotland’s University for Sporting Excellence
The University of Stirling is a charity registered in Scotland, number SC 011159

Edmund Balnaves

unread,
Apr 11, 2024, 4:46:35 PM4/11/24
to DSpace Technical Support
As long as you are not exposing the DSpace SOLR to the public web interface, the scope of this issue is limited.   You should however at least take the upgrade to DSpace 6.4.

Edmund
Reply all
Reply to author
Forward
0 new messages