Debian 9: DLA-2327-1 Critical: Lucene-Solr Configuration Issue
debian lts
August 15, 2020
A security vulnerability was discovered in lucene-solr, an enterprise search server
Summary
The DataImportHandler, an optional but popular module to pull in data
from databases and other sources, has a feature in which the whole DIH
configuration can come from a request's "dataConfig" parameter. The
debug mode of the DIH admin screen uses this to allow convenient
debugging / development of a DIH config. Since a DIH config can contain
scripts, this parameter is a security risk. Starting from now on, use
of this parameter requires setting the Java System property
"enable.dih.dataConfigParam" to true. For example this can be achieved
with solr-tomcat by adding -Denable.dih.dataConfigParam=true to
JAVA_OPTS in /etc/default/tomcat8.
For Debian 9 stretch, this problem has been fixed in version
3.6.2+dfsg-10+deb9u3.
We recommend that you upgrade your lucene-solr packages.
For the detailed security status of lucene-solr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/lucene-solr
PREVIOUS 
NEXT Severity
critical
Lowest
Low
Medium
High
Critical
Package: lucene-solr
Version: 3.6.2+dfsg-10+deb9u3
CVE ID: CVE-2019-0193
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!