SOLR vulnerability issue

20 views
Skip to first unread message

Donald R Elsborg

unread,
Feb 16, 2023, 3:49:48 PM2/16/23
to vivo...@googlegroups.com

Hello,

Our IT department did a scan against our VIVO system and found a vulnerability.

They are recommending we upgrade our SOLR.

Has anybody tested SOLR >= 8.8.2 with VIVO?

 

Details are below.

Thanks

Don

 

The CVE for this vulnerability is here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27905

CVE - CVE-2021-27905

The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.

cve.mitre.org

Here is the summary from the CVE:
"The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2. "

Qualys used a crafted HTTP request to the /replication URL of the VIVO Solr application to confirm the vulnerability.

 

 

 

Don Elsborg

Lead Architect

Faculty Information System

Office of Data Analytics

University of Colorado, Boulder

 

 

Benjamin Gross

unread,
Feb 23, 2023, 12:51:36 AM2/23/23
to vivo...@googlegroups.com
Hi Don,
VIVO works fine with Solr 8.11.2. I haven’t tried the 9.x line, yet.

Benjamin
_____________________________
Benjamin Gross
Senior Product Manager, Web of Science APIs

Time zone: MST (UTC-7)
 
clarivate.com | Accelerating innovation
Follow us on LinkedInTwitterFacebook and Instagram

<image001.png>
 

-- 
You received this message because you are subscribed to the Google Groups "VIVO Tech" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vivo-tech+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vivo-tech/CY4PR03MB3383856136696026FACB0431D5A09%40CY4PR03MB3383.namprd03.prod.outlook.com.

Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.

Reply all
Reply to author
Forward
0 new messages