Known Issues in Apache Solr

This topic describes known issues and workarounds for using Solr in this release of Cloudera Runtime.

Technical Service Bulletins

TSB 2021-495: CVE-2021-29943: Apache Solr Unprivileged users may be able to perform unauthorized read/write to collections
Using the ConfigurableInternodeAuthHadoopPlugin class as the authentication plugin with Ranger as the authorization module introduced a backdoor for unauthorized access to data. With this combination, when an authenticated user sends a query to a node, which does not have the data locally, the request will be forwarded in the name of the Solr service user and not in the name of the original requester. In this case, the authorization happens against the user named solr which may have almost full access. It may be the case that infra Solr customers were advised to switch back to ConfigurableInternodeAuthHadoopPlugin. Only these customers should be affected by this CVE.
Impact
Authenticated users can reach resources which they are not authorized to.
Action required
  • Upgrade (recommended)
    • Upgrade to CDP Private Cloud Base 7.1.7 or later.
    • Upgrade to CDP Public Cloud 7.2.10 or later.
  • Workaround

    Change the security JSON of Solr, and modify the Authentication settings to use the HadoopAuthPlugin using the following steps:

    1. Edit the following file on all Solr nodes:

      (PARCEL_HOME) /lib/solr/clusterconfig/hadoop_multi_scheme_config.json

      1. Change this line: “class”:“org.apache.solr.security.ConfigurableInternodeAuthHadoopPlugin,”

        to: "class": "org.apache.solr.security.HadoopAuthPlugin,"

      2. Remove this line: "clientBuilderFactory": "org.apache.solr.client.solrj.impl.Krb5HttpClientBuilder",
    2. Restart the Solr service.
    3. Check if the changes took effect by looking at the security.json file in ZooKeeper, using one of the following methods:
      1. On the Solr admin UI, go to: Cloud > tree > security.json
      2. SSH to a node and run the following command: $ solrctl cluster --get-securityconf
Knowledge article
For the latest update on this issue see the corresponding Knowledge article: TSB 2021-495: Apache Solr Unprivileged users may be able to perform unauthorized read/write to collections - CVE-2021-29943
TSB 2021-497: CVE-2021-27905: Apache Solr SSRF vulnerability with the Replication handler
The Apache Solr ReplicationHandler (normally registered at "/replication" under a Solr core) has a "masterUrl" (also "leaderUrl" alias) parameter. The “masterUrl” parameter is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To help prevent the CVE-2021-27905 SSRF vulnerability, Solr should check these parameters against a similar configuration used for the "shards" parameter.
Impact
Attackers can set untrusted leaders for follower nodes.
Action required
  • CDH, HDP, HDF, HDP Search and CDP users:
    • Make sure that authentication and authorization is enabled for Solr to help ensure that only users with admin privileges may exploit this Vulnerability.
    • Upgrade to the latest version of CDP Private Cloud Base (7.1.7) or CDP Public Cloud (7.2.10 and above).
  • Cloudera Navigator users:
    • PATCH-4792 available for CM 6.3.4 (this patch addresses TSB-472 as well).
    • CM 7.4.2 and above contains the fix for this Vulnerability.
Knowledge article
For the latest update on this issue see the corresponding Knowledge article: TSB 2021-497: CVE-2021-27905: Apache Solr SSRF vulnerability with the Replication handler