Known Issues in Apache Solr
This topic describes known issues and workarounds for using Solr in this release of Cloudera Runtime.
Technical Service Bulletins
- TSB 2021-495: CVE-2021-29943: Apache Solr Unprivileged users may be able to perform unauthorized read/write to collections
- Using the
ConfigurableInternodeAuthHadoopPlugin
class as the authentication plugin with Ranger as the authorization module introduced a backdoor for unauthorized access to data. With this combination, when an authenticated user sends a query to a node, which does not have the data locally, the request will be forwarded in the name of the Solr service user and not in the name of the original requester. In this case, the authorization happens against the user named solr which may have almost full access. It may be the case that infra Solr customers were advised to switch back toConfigurableInternodeAuthHadoopPlugin
. Only these customers should be affected by this CVE. - Knowledge article
- For the latest update on this issue see the corresponding Knowledge article: TSB 2021-495: Apache Solr Unprivileged users may be able to perform unauthorized read/write to collections - CVE-2021-29943
- TSB 2021-497: CVE-2021-27905: Apache Solr SSRF vulnerability with the Replication handler
- The Apache Solr ReplicationHandler (normally registered at "/replication" under a Solr core) has a "masterUrl" (also "leaderUrl" alias) parameter. The “masterUrl” parameter is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To help prevent the CVE-2021-27905 SSRF vulnerability, Solr should check these parameters against a similar configuration used for the "shards" parameter.
- Knowledge article
- For the latest update on this issue see the corresponding Knowledge article: TSB 2021-497: CVE-2021-27905: Apache Solr SSRF vulnerability with the Replication handler