Skip to end of metadataGo to start of metadata

1. Apache Solr Database
2. Apache Solr Indexing
3. Apache Lucene Solr

1. Exampledocs This is a small set of simple CSV, XML, and JSON files that can be used with bin/post when first getting started with Solr. For more information about using bin/post with these files, see Post Tool. Example-DIH This directory includes a few example DataImport Handler (DIH) configurations to help you get started with importing structured content in a database, an email server,.
2. BitNami Apache Solr Stack is an enterprise platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search.
3. Solr Downloads ¶ Official releases are usually created when the developers feel there are sufficient changes, improvements and bug fixes to warrant a release. Due to the voluntary nature of Solr, no releases are scheduled in advance. Solr 8.6.2 ¶ Solr 8.6.2 is the most recent Apache Solr release.

BitNami Apache Solr Stack for Mac 8.3.1-0 freeware download - An environment to develop and deploy Java applications - Freeware downloads - best freeware - Best Freeware Download. Sep 26, 2018.

The authoritative guide on implementing security is in the Solr Reference Guide. This page describes security features in general, but also provides information about CVEs that have been patched or dependencies which do not require a patch for Solr.

Also refer to the news section on the Solr Web page.

Security Announcements

If you believe you have discovered a vulnerability in Lucene or Solr, please follow these ASF guidelines for reporting it.

For each CVE listed below, please be sure to read the mailing list announcement for full details and mitigation steps.

Apache Solr Database

Need for firewall

Even though you add SSL or Authentication plugins, it is still strongly recommended that the application server containing Solr be firewalled such the only clients with access to Solr are your own. A default/example installation of Solr allows any client with access to it to add, update, and delete documents (and of course search/read too), including access to the Solr configuration and schema files and the administrative user interface.

If there is a need to provide query access to a Solr server from the open internet, it is highly recommended to use a proxy, such as one of these.

Cross-Site Request Forgery (CSRF)

Even if a Solr instance is protected by good firewalls so that 'bad guys' have no direct access, that instance may be at risk to potential 'Cross-Site Request Forgery' based attacks if the following are all true:

Apache Solr Indexing

1. Some number of 'good guys' have direct access to that Solr instance from their web browsers.
2. A 'bad guy' knows/guesses the host:port/path of the Solr instance (even though they can not access it directly)
3. The bad guy can trick one of the good guy into clicking a maliciously crafted URL, or loading a webpage that contains malicious javascript.

This is because Solr's most basic behavior is to receive updates and deletes via HTTP. If you have a firewall or other security measure restricting Solr's /update handler so it only accepts connections from approved hosts/clients, but you are approved then you could inadvertently be tricked into loading a web page that initiates an HTTP Connection to Solr on your behalf.

It's important to keep this in mind when thinking about what it means to 'secure' an instance of Solr (if you have not already).

A basic technique that can be used to mitigate the risk of a possible CSRF attack like this is to configure your Servlet Container so that access to paths which can modify the index (ie: /update, /update/csv, etc...) are restricted either to specific client IPs, or using HTTP Authentication.

Streaming Consideration

Apache Lucene Solr

If streaming is enabled, you need to make sure Solr is as secure as it needs to be. When streaming is enabled, the parameters 'stream.url' will go to a remote site and download the content. Likewise, 'stream.file' will read a file on disk.

Streaming is disabled by default and is configured from solrconfig.xml

Indirect compromise through Tika vulnerabilities

One of the contrib modules that Solr includes is called SolrCell. This module adds the Extracting Request Handler. This component utilizes Apache Tika to parse rich documents like PDF and Microsoft Office and index the document contents into Solr.

The Tika software has had some security vulnerabilities. It would be theoretically possible for an attacker to upload a specially crafted file to be processed by Tika running inside Solr, or to trick an administrator into uploading such a file, and in that way compromise the Solr install.

For reasons not related to security, it is strongly recommended that this contrib module is never used in production. Tika can crash, and if such a crash happens in the SolrCell module, Solr will crash too. If that advice is followed, it would be very difficult to utilize Tika vulnerabilities to compromise Solr.

Solr and Vulnerability Scanning Tools

Many organizations have policies where software to be installed on the network must pass an examination by a vulnerability scanner which attempts to determine if there are known vulnerabilities in the application.

Solr includes many dependencies which may trigger warnings from a vulnerability scan but which the Lucene/Solr community has determined that they are false positives. As a general rule, the Lucene PMC will not accept the output of a vulnerability scan as a security report.

The following table lists the dependencies and associated CVEs which are not considered problems for Lucene or Solr.