Hello,
Our IT department did a scan against our VIVO system and found a vulnerability.
They are recommending we upgrade our SOLR.
Has anybody tested SOLR >= 8.8.2 with VIVO?
Details are below.
Thanks
Don
The CVE for this vulnerability is here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27905
The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. |
Here is the summary from the CVE:
"The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the
local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it
getting fixed in 8.8.2. "
Qualys used a crafted HTTP request to the /replication URL of the VIVO Solr application to confirm the vulnerability.
Don Elsborg
Lead Architect
Faculty Information System
Office of Data Analytics
University of Colorado, Boulder
<image001.png>--
You received this message because you are subscribed to the Google Groups "VIVO Tech" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vivo-tech+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vivo-tech/CY4PR03MB3383856136696026FACB0431D5A09%40CY4PR03MB3383.namprd03.prod.outlook.com.
Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.