Apache Solr multiple XML external entity Injection Vulnerability

Release date:
Updated on:

Affected Systems:
Apache Group solr< 4.1
Description:
--------------------------------------------------------------------------------
Bugtraq id: 64427
CVE (CAN) ID: CVE-2012-6612

Solr is a Lucene-based search server available for enterprises.

UpdateRequestHandler for XSLT or XPathEntityProcessor in Apache Solr 4.1 or earlier versions allows remote attackers to execute malicious attacks by using XML data and Object Reference containing external entity declarations to obtain sensitive information or cause DOS.

<* Source: Martin Herfurt (martin.herfurt@trifinite.org)

Link: https://issues.apache.org/jira/browse/SOLR-3895
Http://svn.apache.org/viewvc/lucene/dev/branches/branch_4x/solr/CHANGES.txt? View = markup
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Apache Group
------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Https://issues.apache.org/jira/browse/SOLR

Http://svn.apache.org/viewvc/lucene/dev/branches/branch_4x/solr/CHANGES.txt? View = markup

Https://issues.apache.org/jira/browse/SOLR-3895

Solr details: click here
Solr: click here

Solr3.6.1 build an environment in Tomcat6

Tomcat-based Solr3.5 cluster deployment

Load Balancing for Solr clusters using Nginx on Linux

Install and use Solr in Linux

Deploy Solr 4 on Ubuntu 12.04 LTS through Tomcat

Solr implements Low Level query parsing (QParser)

Build a search Server Based on Solr 3.5

Solr 3.5 development and application tutorial PDF

Solr 4.0 deployment instance tutorial