Applying fixes for the Security Vulnerabilities is a critical activity needed for preventing any intrusions and for ensuring the security of the system. While it is vital to continuously monitor and apply the Security fixes released by the tools used in the implementation, it is also essential to review and deploy the previously released Security fixes for the versions of the opted tools during initial infrastructure setup.
This blog covers the options available to mitigate a SOLR Security Vulnerability, CVE-2019-0192 (SOLR-13301) released for versions 5.0–5.5.5, 6.0–6.6.5. When using Sitecore 9.0 or 8.2 with SOLR as Search Platform, the implementation might be running on one of the above mentioned SOLR versions. Options available to overcome this vulnerability can be found in Sitecore/SOLR Documentation,
https://kb.sitecore.net/articles/227897#note6
https://issues.apache.org/jira/browse/SOLR-13301
While the most recommended option is to upgrade to the recent version of Sitecore and SOLR which will also allow to leverage the latest features, disabling Config API would work well when looking for an immediate solution.
The Config API enables manipulating various aspects of solrconfig.xml using REST-like API calls.
This feature is enabled by default and works similarly in both SolrCloud and standalone mode. Many commonly edited properties (such as cache sizes and commit settings) and request handler definitions can be changed with this API.
Config API can be disabled by adding System Property (disable.configEdit=true) to SOLR_OPTS environment variable defined in solr.in.cmd file located within SOLR bin folder. This can be achieved by adding the following line within solr.in.cmd file,
REM Disabling Config API for mitigating Security Vulnerability https://issues.apache.org/jira/browse/SOLR-13301 set SOLR_OPTS=%SOLR_OPTS% -Ddisable.configEdit=true
SOLR Service must be restarted for the above added System Property to take effect.
If you are using Powershell Script for installing SOLR, adding the following lines to the script should take care of it,
$SolrInCmd_Path = "S:\SOLR\solr-6.6.5\bin\solr.in.cmd" ##Disabling Config API for mitigating Security Vulnerability for v6.6.5 https://issues.apache.org/jira/browse/SOLR-13301 Add-Content -Path $SolrInCmd_Path -Value 'REM Disabling Config API for mitigating Security Vulnerability https://issues.apache.org/jira/browse/SOLR-13301' Add-Content -Path $SolrInCmd_Path -Value 'set SOLR_OPTS=%SOLR_OPTS% -Ddisable.configEdit=true'
Following Curl Command can be used to ensure that the Config API is disabled. This should result in 403 Forbidden Error,
curl https://localhost:8983/solr/<core_name>/config -H "Accept: application/json" -H "Content-type:application/json" -d "{'set-user-property' : {'variable_name':'some_value'}}"
Alternatively, if Config API is being utilized in the implementation, applying SOLR-13301.patch and re-compiling SOLR or hardening Network Settings to allow only trusted traffic are viable options.