Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SA-5

resplin
Elite Collaborator
Elite Collaborator
‎03-13-2015 11:37 AM

Security Advisory 5


Date: 2012-04-26

Summary:  SOLR REST API allows unauthenticated access to repository contents

Related Issues: ALF-13721

Affects: 4.0

Fixed in: 4.0.1, with a hotfix available for 4.0.

An omission has been discovered that meant that HTTP access to repository APIs under the paths /alfresco/s/api/solr, /alfresco/wcservice/api/solr and /alfresco/wcs/api/solr were not protected by SOLR’s SSL certificate and could potentially be used by an unauthenticated user to retrieve information from the repository. This issue affects you whether or not you have configured and installed SOLR for search.

The issue is easily addressed by adding some XML to your web.xml. If you take a look at the web.xml file, you'll see a security-constraint element that matches on the '/service/api/solr' pattern. The issue is that the web script is accessible via several other patterns not covered by existing security constraints.


  <security-constraint>
     <web-resource-collection>
        <web-resource-name>SOLR</web-resource-name>
        <url-pattern>/service/api/solr/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
        <role-name>repoclient</role-name>
     </auth-constraint>
     <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
  </security-constraint>


You can plug the hole yourself by adding the following additional security constraints:


  <security-constraint>
     <web-resource-collection>
        <web-resource-name>SOLR</web-resource-name>
        <url-pattern>/s/api/solr/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
        <role-name>repoclient</role-name>
     </auth-constraint>
     <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
  </security-constraint>
  <security-constraint>
     <web-resource-collection>
        <web-resource-name>SOLR</web-resource-name>
        <url-pattern>/wcservice/api/solr/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
        <role-name>repoclient</role-name>
     </auth-constraint>
     <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
  </security-constraint>
  <security-constraint>
     <web-resource-collection>
        <web-resource-name>SOLR</web-resource-name>
        <url-pattern>/wcs/api/solr/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
        <role-name>repoclient</role-name>
     </auth-constraint>
     <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
  </security-constraint>


Security Advisories

0 Kudos
Copyright © 2024 Khoros, LLC