You may also read these news as an ATOM feed.
The Lucene and Solr PMCs are pleased to announce the release of Apache Solr 8.11.4.
Solr is the blazing-fast, open source, multi-modal search platform built on Apache Lucene. It powers full-text, analytics, and geospatial search at many of the world's largest organizations. Other major features include Kubernetes and docker integration, streaming, highlighting, faceting, and spellchecking.
Solr 8.11.4 is available for immediate download at:
https://solr.apache.org/downloads.html
Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:
https://solr.apache.org/guide/8_11/solr-upgrade-notes.html
Please read CHANGES.txt for a full list of bugfixes:
https://solr.apache.org/docs/8_11_4/changes/Changes.html
Solr 8.11.4 also includes bugfixes in the corresponding Apache Lucene release:
https://lucene.apache.org/core/8_11_4/changes/Changes.html
The Solr PMC is pleased to announce the release of Apache Solr 9.7.0.
Solr is the blazing-fast, open source, multi-modal search platform built on Apache Lucene. It powers full-text, vector, analytics, and geospatial search at many of the world's largest organizations. Other major features include Kubernetes and docker integration, streaming, highlighting, faceting, and spellchecking.
The release is available for immediate download at:
https://solr.apache.org/downloads.html
Performance improvements:
There were more changes and details to read; that was just an editorialized summary.
Read CHANGES.txt for a detailed list of changes:
https://solr.apache.org/docs/9_7_0/changes/Changes.html
When upgrading, always read the upgrade notes:
Thanks to all contributors:
David Smiley, Eric Pugh, Jason Gerlowski, hossman, Houston Putman, Pierre Salagnac, Christine Poerschke, Christos Malliaridis, Michael Gibney, Sanjay Dutt, Yohann Callea, janhoy, Liu Huajin, Andrey Bozhko, Lamine Idjeraoui, Ishan Chattopadhyaya, Mark Miller, noble, Gus Heck, Matthew Biscocho, Alexey Serba, Rafał Harabień, Eivind Bergstøl, Calvin Smith, Tomás Fernández Löbbe, @charlygrappa, Alastair Porter, ellaeln, Patson Luk, Vinayak Hegde, Kevin Risden, Rudy Seitz, @hgdharold, Bostoi, Torsten Bøgh Köster, Hakan Özler, Andy Webb, Stephen Woods, Anshum Gupta
The Solr PMC is pleased to announce the release of Apache Solr 9.6.1.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Solr project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 9.6.1 is available for immediate download at:
https://solr.apache.org/downloads.html
Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:
https://solr.apache.org/guide/solr/9_6/upgrade-notes/solr-upgrade-notes.html
Please read CHANGES.txt for a full list of bugfixes:
https://solr.apache.org/9_6_1/changes/Changes.html
Thanks to all contributors!
hossman, Houston Putman, Jan Høydahl, Andy Webb, Christine Poerschke, Aparna Suresh, David Smiley, Vincent Primault
The Solr PMC is pleased to announce the release of Apache Solr 9.6.0.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Solr project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 9.6.0 is available for immediate download at:
https://solr.apache.org/downloads.html
Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:
https://solr.apache.org/guide/solr/9_6/upgrade-notes/solr-upgrade-notes.html
Please read CHANGES.txt for a full list of new features, changes and bugfixes:
https://solr.apache.org/9_6_0/changes/Changes.html
Thanks to all contributors!
hossman, David Smiley, Michael Gibney, Paul McArthur, Jan Høydahl, James Dyer, Eric Pugh, Andrey Bozhko, Andrzej Bialecki, Rahul Goswami, Bruno Roustant, Jason Gerlowski, Sanjay Dutt, Vincent Primault, Christine Poerschke, Gus Heck, Shawn Heisey, Vincenzo D'Amore, Yohann Callea, Julien Pilourdault, Wei Wang, Mikhail Khludnev, Antoine Bursaux, Rishi Sankar, Pierre Salagnac, Aparna Suresh, Alessandro Benedetti, Mathieu Marie, Przemyslaw Ciezkowski
Severity:
Moderate
Versions Affected:
Solr Operator 0.3.0 to 0.8.0
Description: Insertion of Sensitive Information into Log File vulnerability in the Apache Solr Operator.
The Solr sked to bootstrap Solr security, the operator will enable basic authentication and create several accounts for accessing Solr: including the "solr" and "admin" accounts for use by end-users, and a "k8s-oper" account which the operator uses for its own requests to Solr. One common source of these operator requests is healthchecks: liveness, readiness, and startup probes are all used to determine Solr's health and ability to receive traffic. By default, the operator configures the Solr APIs used for these probes to be exempt from authentication, but users may specifically request that authentication be required on probe endpoints as well. Whenever one of these probes would fail, if authentication was in use, the Solr Operator would create a Kubernetes "event" containing the username and password of the "k8s-oper" account.
Within the affected version range, this vulnerability affects any solrcloud resource which (1) bootstrapped security through use of the .solrOptions.security.authenticationType=basic
option, and (2) required authentication be used on probes by setting .solrOptions.security.probesRequireAuth=true
.
Mitigation:
Users are recommended to upgrade to Solr Operator version 0.8.1, which fixes this issue by ensuring that probes no longer print the credentials used for Solr requests. Users may also mitigate the vulnerability by disabling authentication on their healthcheck probes using the setting .solrOptions.security.probesRequireAuth=false
.
References:
JIRA - SOLR-17216
CVE - CVE-2024-31391
The Solr PMC is pleased to announce the release of Apache Solr 9.5.0.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Solr project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 9.5.0 is available for immediate download at:
https://solr.apache.org/downloads.html
<clusterSingleton>
solr.xml tag as a means of configuring node-level plugins in an "immutable infrastructure"-friendly way. This offers an alternative to using the /cluster/plugins
API for managing plugins in "live" clusters.Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:
https://solr.apache.org/guide/solr/9_5/upgrade-notes/solr-upgrade-notes.html
Please read CHANGES.txt for a full list of new features, changes and bugfixes:
https://solr.apache.org/9_5_0/changes/Changes.html
The Lucene and Solr PMCs are pleased to announce the release of Apache Solr 8.11.3.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 8.11.3 is available for immediate download at:
https://lucene.apache.org/solr/downloads.html
Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:
https://solr.apache.org/guide/8_11/solr-upgrade-notes.html
Please read CHANGES.txt for a full list of bugfixes:
https://solr.apache.org/docs/8_11_3/changes/Changes.html
Solr 8.11.3 also includes bugfixes in the corresponding Apache Lucene release:
https://lucene.apache.org/core/8_11_3/changes/Changes.html
Severity:
Moderate
Versions Affected:
Description:
Insufficiently Protected Credentials vulnerability in Apache Solr.
This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0. One of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had "password" contained in the name. There are a number of sensitive system properties, such as "basicauth" and "aws.secretKey" do not contain "password", thus their values were published via the "/admin/info/properties" endpoint. This endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.
This /admin/info/properties endpoint is protected under the "config-read" permission. Therefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the "config-read" permission. Users are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue. A single option now controls hiding Java system property for all endpoints, "-Dsolr.hiddenSysProps". By default all known sensitive properties are hidden (including "-Dbasicauth"), as well as any property with a name containing "secret" or "password".
Users who cannot upgrade can also use the following Java system property to fix the issue:
-Dsolr.redaction.system.pattern=".*(password|secret|basicauth).*"
Mitigation:
Users are recommended to upgrade to version 8.11.3, 9.3.0 or later, which has consistent systemProperty redaction logic.
Credit: Michael Taggart (reporter)
References:
JIRA - SOLR-16809
CVE - CVE-2023-50291
Severity:
Moderate
Versions Affected:
Description:
Incorrect Permission Assignment for Critical Resource, Improper Control of Dynamically-Managed Code Resources vulnerability in Apache Solr.
This issue affects Apache Solr: from 8.10.0 through 8.11.2, from 9.0.0 before 9.3.0.
The Schema Designer was introduced to allow users to more easily configure and test new Schemas and configSets. However, when the feature was created, the "trust" (authentication) of these configSets was not considered. External library loading is only available to configSets that are "trusted" (created by authenticated users), thus non-authenticated users are unable to perform Remote Code Execution. Since the Schema Designer loaded configSets without taking their "trust" into account, configSets that were created by unauthenticated users were allowed to load external libraries when used in the Schema Designer.
Mitigation:
Users are recommended to upgrade to version 8.11.3, 9.3.0 or later.
Credit: Skay (reporter)
References:
JIRA - SOLR-16777
CVE - CVE-2023-50292
Severity:
Low
Versions Affected:
Description:
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1.
Solr Streaming Expressions allows users to extract data from other Solr Clouds, using a "zkHost" parameter. When original SolrCloud is setup to use ZooKeeper credentials and ACLs, they will be sent to whatever "zkHost" the user provides. An attacker could setup a server to mock ZooKeeper, that accepts ZooKeeper requests with credentials and ACLs and extracts the sensitive information, then send a streaming expression using the mock server's address in "zkHost". Streaming Expressions are exposed via the "/streaming" handler, with "read" permissions.
Mitigation:
Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue.
From these versions on, only zkHost values that have the same server address (regardless of chroot), will use the given ZooKeeper credentials and ACLs when connecting.
Credit: Qing Xu (reporter)
References:
JIRA - SOLR-17098
CVE - CVE-2023-50298
Severity:
Moderate
Versions Affected:
Description:
Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1.
In the affected versions, Solr ConfigSets accepted Java jar and class files to be uploaded through the ConfigSets API. When backing up Solr Collections, these configSet files would be saved to disk when using the LocalFileSystemRepository (the default for backups). If the backup was saved to a directory that Solr uses in its ClassPath/ClassLoaders, then the jar and class files would be available to use with any ConfigSet, trusted or untrusted.
When Solr is run in a secure way (Authorization enabled), as is strongly suggested, this vulnerability is limited to extending the Backup permissions with the ability to add libraries.
Mitigation:
Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue.
In these versions, the following protections have been added:
Credit: L3yx (reporter)
References:
JIRA - SOLR-16949
CVE - CVE-2023-50386
The Solr PMC is pleased to announce the release of Apache Solr 9.4.1.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Solr project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 9.4.1 is available for immediate download at:
https://solr.apache.org/downloads.html
A big regression to the JSON Query API in 9.4 is primarily what prompted this release. Additionally, some security oriented improvements/fixes have been added, and many transitive dependencies have been upgraded.
Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:
https://solr.apache.org/guide/solr/9_4/upgrade-notes/solr-upgrade-notes.html
Please read CHANGES.txt for a full list of bugfixes:
https://solr.apache.org/9_4_1/changes/Changes.html
Severity:
Important
Versions Affected:
Solr 9.0 to 9.2.1
Description:
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.
The Solr Metrics API publishes all unprotected environment variables available to each Apache Solr instance.
Users are able to specify which environment variables to hide, however, the default list is designed to work for known secret Java system properties.
Environment variables cannot be strictly defined in Solr, like Java system properties can be, and may be set for the entire host, unlike Java system properties which are set per-Java-process.
The Solr Metrics API is protected by the "metrics-read" permission. Therefore, Solr Clouds with Authorization setup will only be vulnerable via users with the "metrics-read" permission.
Mitigation:
Users are recommended to upgrade to version 9.3.0 or later, in which environment variables are not published via the Metrics API.
References:
JIRA - SOLR-15233
CVE - CVE-2023-50290
The Solr PMC is pleased to announce the release of Apache Solr 9.4.0.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Solr project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 9.4.0 is available for immediate download at:
https://solr.apache.org/downloads.html
rid
mechanism.Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:
https://solr.apache.org/guide/solr/9_4/upgrade-notes/solr-upgrade-notes.html
Please read CHANGES.txt for a full list of new features, changes and bugfixes:
https://solr.apache.org/9_4_0/changes/Changes.html
The Solr PMC is pleased to announce the release of Apache Solr 9.3.0.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Solr project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 9.3.0 is available for immediate download at:
https://solr.apache.org/downloads.html
Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:
https://solr.apache.org/guide/solr/9_3/upgrade-notes/solr-upgrade-notes.html
Please read CHANGES.txt for a full list of new features, changes and bugfixes:
https://solr.apache.org/9_3_0/changes/Changes.html
The Solr PMC is pleased to announce the release of Apache Solr 9.2.1.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Solr project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 9.2.1 is available for immediate download at:
https://solr.apache.org/downloads.html
_JAVA_OPTIONS
is set`Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:
https://solr.apache.org/guide/solr/9_2/upgrade-notes/solr-upgrade-notes.html
Please read CHANGES.txt for a full list of bugfixes:
https://solr.apache.org/9_2_1/changes/Changes.html
The Solr PMC is pleased to announce the release of Apache Solr 9.2.0.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Solr project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 9.2.0 is available for immediate download at:
https://solr.apache.org/downloads.html
Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:
https://solr.apache.org/guide/solr/9_2/upgrade-notes/solr-upgrade-notes.html
Please read CHANGES.txt for a full list of new features, changes and bugfixes:
https://solr.apache.org/9_2_0/changes/Changes.html
The Solr PMC is pleased to announce the release of Apache Solr 9.1.1.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Solr project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 9.1.1 is available for immediate download at:
https://solr.apache.org/downloads.html
Bugfixes
q=*:*&start=10
Other
Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:
https://solr.apache.org/guide/solr/9_1/upgrade-notes/solr-upgrade-notes.html
Please read CHANGES.txt for a full list of bugfixes:
https://solr.apache.org/9_1_1/changes/Changes.html
Versions Affected:
Solr 6.5 to 8.11.2
Solr 9.0
Description:
Apache Calcite has a vulnerability, CVE-2022-39135, that is exploitable in Apache Solr in SolrCloud mode. If an untrusted user can supply SQL queries to Solr’s “/sql” handler (even indirectly via proxies / other apps), then the user could perform an XML External Entity (XXE) attack. This might have been exposed by some deployers of Solr in order for internal analysts to use JDBC based tooling, but would have unlikely been granted to wider audiences.
Impact:
An XXE attack may lead to the disclosure of confidential data, denial of service, server side request forgery (SSRF), port scanning from the Solr node, and other system impacts.
Mitigation:
Most Solr installations don’t make use of the SQL functionality. For such users, the standard Solr security advice of using a firewall should be adequate. Nonetheless, the functionality can be disabled. As of Solr 9, it has been modularized and thus became opt-in, so nothing is needed for Solr 9 users that don’t use it. Users not using SolrCloud can’t use the functionality at all. For other users that wish to disable it, you must register a request handler that masks the underlying functionality in solrconfig.xml like so:
<requestHandler name="/sql" class="solr.NotFoundRequestHandler"/>
Users needing this SQL functionality are forced to upgrade to Solr 9.1. If Solr 8.11.3 is released, then it will be an option as well. Simply replacing Calcite and other JAR files may mostly work but could fail depending on the particulars of the query. Users interested in this or in patching their own versions of Solr should examine SOLR-16421 for a source patch.
Credit:
Andreas Hubold at CoreMedia GmbH
References:
JIRA - SOLR-16421
CVE - CVE-2022-39135
The Solr PMC is pleased to announce the release of Apache Solr 9.1.0.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Solr project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 9.1.0 is available for immediate download at:
https://solr.apache.org/downloads.html
Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:
https://solr.apache.org/guide/solr/9_1/upgrade-notes/solr-upgrade-notes.html
Please read CHANGES.txt for a full list of new features, changes and bugfixes:
https://solr.apache.org/9_1_0/changes/Changes.html
Several users running Solr in production on OpenJDK 17 have experienced JVM crashes due to a known bug in the JDK. Read more about the bug in SOLR-16463.
Known mitigations are to either downgrade to JDK 11 or to start Solr with a Java startup flag that avoids the failure condition. Here is how to manually apply the flag:
Edit your solr.in.sh
or solr.in.cmd
file to set the SOLR_OPTS
environment variable as follows:
Linux:
SOLR_OPTS=-XX:CompileCommand=exclude,com.github.benmanes.caffeine.cache.BoundedLocalCache::put
Windows:
SET SOLR_OPTS=-XX:CompileCommand=exclude,com.github.benmanes.caffeine.cache.BoundedLocalCache::put
Alternatively, you can inject the same flag with the -a
argument, e.g:
bin/solr -a "-XX:CompileCommand=exclude,com.github.benmanes.caffeine.cache.BoundedLocalCache::put"
If you run Solr 9 with the official Docker image, we have already pushed an updated Docker image to Docker Hub that will inject the flag for you.
Just pull the image again to get it.
The Docker image uses the -a
option to set this java flag when running Solr, so if you are using the
-a
option you will need to provide the JVM flag mentioned above in addition to the other flags you are setting.
The official docker image for Solr 8.11 has been running on Oracle OpenJDK 11 JRE. However, due to Oracle's new release policies, they now no longer provide support for JDK11. Since Solr 8.11 is still being supported by the Apache Solr project, we needed to switch to another OpenJDK vendor with JDK11 support. We chose Eclipse Temurin from the Adoptium project. This is the same vendor as we use for our Solr 9 image, and their JDK11 support lasts until October 2024.
Users should be aware that on your next docker pull solr:8.11.2
you will be upgraded. For most users there will be no issues, as it is mainly a new distribution of the same upstream OpenJDK version. However, if you use our image as base image and rely on specific tools to be present, you may need to adapt. While openjdk:11-jre
uses Debian GNU/Linux 11 (bullseye)
, the eclipse-temurin:11-jre-focal
image uses Ubuntu 20.04.5 LTS (Focal Fossa)
.
Furthermore, there is now no difference between the solr:11-jre
and solr:11-jre-slim
images, because our new vendor only offers one variant which is fairly slim already.
Solr 9 was released on May 12th, using the eclipse-temurin:17-jre
base image. Thus, we are pinned to Java 17 and Solr's
Docker image will thus always use an updated Java 17 version. If you pull the docker image from time to time that is.
However, the base image tag 17-jre
did not give us pinning to a specific Ubuntu Linux major release.
At the time of Solr 9 release on May 12th
it would pull Ubuntu 20.04 (Focal Fossa), but at the end of May, it was auto upgraded to the brand new Ubuntu
22.04 (Jammy Jellyfish). This was not our desire, and we have learnt that due to this, our image is no longer compatible
with Docker client versions before 20.10.16. Having a "floating" linux release like this can also break the image in
other subtle ways, as well as breaking downstream images using us as a base image.
We therefore decided to start pinning not only Java release, but also Linux release in our official Docker images. This means that Solr 9.0 is once again based on Ubuntu 20.04 Focal, i.e. a downgrade.
Note that our images will still receive important Linux bug fixes from time to time, but you won't get them unless you re-pull the image. When we upgrade to Ubuntu 22.04 in the future, it will be a deliberate decision and not by accident.
The Lucene and Solr PMCs are pleased to announce the release of Apache Solr 8.11.2.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 8.11.2 is available for immediate download at:
https://solr.apache.org/downloads.html
Security
Bugfixes
Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:
https://solr.apache.org/guide/8_11/solr-upgrade-notes.html
Please read CHANGES.txt for a full list of bugfixes:
https://solr.apache.org/docs/8_11_2/changes/Changes.html
Solr 8.11.2 also includes bugfixes in the corresponding Apache Lucene release:
https://lucene.apache.org/core/8_11_2/changes/Changes.html
The Solr PMC is pleased to announce the release of Apache Solr 9.0.0.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Solr project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 9.0.0 is available for immediate download at:
https://solr.apache.org/downloads.html
This is a major-version release with breaking changes. The highlights below is not the full list. Please consult the "Solr Upgrade Notes" when planning an upgrade:
https://solr.apache.org/guide/solr/9_0/upgrade-notes/solr-upgrade-notes.html
Please read CHANGES.txt for a full list of new features, changes and bugfixes:
https://solr.apache.org/9_0_0/changes/Changes.html
Severity:
Moderate
Versions Affected:
All versions prior to 8.11.1. Affected platforms: Windows.
Description:
An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in:
This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.
Mitigation:
Upgrade to Solr 8.11.1, and/or ensure only trusted clients can make requests to Solr's DataImport handler.
Credit:
Apache Solr would like to thank LaiHan of Nsfocus security team for reporting the issue
References:
Jira issue SOLR-15826
The Lucene PMC is pleased to announce the release of Apache Solr 8.11.1.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 8.11.1 is available for immediate download at:
https://lucene.apache.org/solr/downloads.html
Security
Bugfixes
Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:
https://solr.apache.org/guide/8_11/solr-upgrade-notes.html
Please read CHANGES.txt for a full list of bugfixes:
https://solr.apache.org/docs/8_11_1/changes/Changes.html
Severity: Critical
Versions Affected: 7.4.0 to 7.7.3, 8.0.0 to 8.11.0
Description: Apache Solr releases prior to 8.11.1 were using a bundled version of the Apache Log4J library vulnerable to RCE. For full impact and additional detail consult the Log4J security page.
Apache Solr releases prior to 7.4 (i.e. Solr 5, Solr 6, and Solr 7 through 7.3) use Log4J 1.2.17 which may be vulnerable for installations using non-default logging configurations that include the JMS Appender, see https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 for discussion.
Solr's Prometheus Exporter uses Log4J as well but it does not log user input or data, so we don't see a risk there.
Solr is not vulnerable to the followup CVE-2021-45046 and CVE-2021-45105. A listing of these and other CVEs with some justifications are listed in Solr's wiki: https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools
Mitigation: Any of the following are enough to prevent this vulnerability for Solr servers:
Solr 8.11.1
or greater (when available), which will include an updated version (>= 2.16.0
) of the Log4J dependency.solr.in.sh
file to include:
SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"
solr.in.cmd
file to include:
set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true
The Log4J security page refers to setting log4j2.formatMsgNoLookups=true
as a "discredited" mitigation. In reality, it depends.
We've looked at the root cause and audited the code paths that lead to the vulnerability, and we feel confident in this mitigation being sufficient for Solr.
See https://lists.apache.org/thread/kgh63sncrsm2bls884pg87mnt8vqztmz for discussion.
References: https://logging.apache.org/log4j/2.x/security.html
The Solr PMC is pleased to announce the release of Apache Solr 8.11.0.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 8.11.0 is available for immediate download at:
https://solr.apache.org/downloads.html
MultiAuthPlugin (for authentication) and MultiAuthRuleBasedAuthorizationPlugin (for authorization) classes to support multiple authentication schemes, such as Bearer and Basic. This allows the Admin UI to use OIDC (JWTAuthPlugin) to authenticate users while still supporting Basic authentication for command-line tools and the Prometheus exporter.
A summary of important changes is published in the Solr Reference Guide at https://solr.apache.org/guide/8_11/solr-upgrade-notes.html.
For the most exhaustive list, see the full release notes at https://solr.apache.org/8_11_0/changes/Changes.html or by viewing the CHANGES.txt file accompanying the distribution.
Solr's release notes usually don't include Lucene layer changes. Lucene's release notes are at https://lucene.apache.org/core/8_11_0/changes/Changes.html
The Solr PMC is pleased to announce the release of Apache Solr 8.10.1.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 8.10.1 is available for immediate download at:
https://solr.apache.org/downloads.html
A summary of important changes is published in the Solr Reference Guide at https://solr.apache.org/guide/8_10_1/solr-upgrade-notes.html.
For the most exhaustive list, see the full release notes at https://solr.apache.org/8_10_1/changes/Changes.html or by viewing the CHANGES.txt file accompanying the distribution.
Solr's release notes usually don't include Lucene layer changes. Lucene's release notes are at https://lucene.apache.org/core/8_10_1/changes/Changes.html
The Solr PMC is pleased to announce the release of Apache Solr 8.10.0.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 8.10.0 is available for immediate download at:
https://solr.apache.org/downloads.html
Backup / restore to / from Amazon S3 (SOLR-15089); included upgrading the AWS SDK to v2 (SOLR-15599)
A new Admin UI screen to interactively design your Solr schema and supporting ConfigSet files from sample data (SOLR-15277)
A new Admin UI screen to manage users, roles, and permissions (SOLR-15527)
Several enhancements and bug fixes for Solr's Parallel SQL interface, included upgrading Apache Calcite to 1.27.0 (SOLR-15460, SOLR-15451, SOLR-15456, SOLR-15461, SOLR-15489, SOLR-15475, SOLR-15499, SOLR-15570, SOLR-15576, SOLR-9853, SOLR-15579, SOLR-15566)
A summary of important changes is published in the Solr Reference Guide at https://solr.apache.org/guide/8_10/solr-upgrade-notes.html.
For the most exhaustive list, see the full release notes at https://solr.apache.org/8_10_0/changes/Changes.html or by viewing the CHANGES.txt file accompanying the distribution.
Solr's release notes usually don't include Lucene layer changes. Lucene's release notes are at https://lucene.apache.org/core/8_10_0/changes/Changes.html
The Solr PMC is pleased to announce the release of Apache Solr 8.9.0.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 8.9.0 is available for immediate download at:
https://solr.apache.org/downloads.html
Backup/Restore: Support for incremental backups, support for storing backups in Google Cloud Storage (GCS), ability to restore on top of an existing collection. Improved v2 API. Please see CHANGES.txt for details. (SOLR-15087, SOLR-15090, SOLR-13608, SOLR-15101)
Monitoring: New "Solr Cluster" row in Grafana dashboard, improved Zookeeper monitoring, new shard health info in CLUSTERSTATUS and more. Please see CHANGES.txt for details. (SOLR-15365, SOLR-15397, SOLR-15300, SOLR-15081, SOLR-15383)
Deprecations: The Metrics history feature has been deprecated and will be removed in 9.0 (SOLR-15416)
Admin UI: Query page now stores state in URL and can easily be shared (SOLR-6152)
Security: Jetty server upgraded to 9.4.41 which fixes some known vulnerabilities (SOLR-15316)
A summary of important changes is published in the Solr Reference Guide at https://solr.apache.org/guide/8_9/solr-upgrade-notes.html.
For the most exhaustive list, see the full release notes at https://solr.apache.org/8_9_0/changes/Changes.html or by viewing the CHANGES.txt file accompanying the distribution.
Solr's release notes usually don't include Lucene layer changes. Lucene's release notes are at https://lucene.apache.org/core/8_9_0/changes/Changes.html
The Solr PMC is pleased to announce the release of Apache Solr 8.8.2.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 8.8.2 is available for immediate download at:
https://solr.apache.org/downloads.html
Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:
https://solr.apache.org/guide/8_8/solr-upgrade-notes.html
Please read CHANGES.txt for a full list of bugfixes:
https://solr.apache.org/8_8_2/changes/Changes.html
Solr 8.8.2 also includes bugfixes in the corresponding Apache Lucene release:
https://lucene.apache.org/core/8_8_2/changes/Changes.html
Severity: High
Versions Affected: 7.0.0 to 7.7.3 8.0.0 to 8.8.1
Description: The ReplicationHandler (normally registered at "/replication" under a Solr core) has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not.
Mitigation: Any of the following are enough to prevent this vulnerability:
Solr 8.8.2
or greater.Credit: Reported by Caolinhong(Skay) from QI-ANXIN Cert (QI-ANXIN Technology Group Inc.)
References: SOLR-15217: CVE-2021-27905: SSRF vulnerability with the Replication handler
Severity: High
Versions Affected: 7.0.0 to 7.7.3 8.0.0 to 8.8.1
Description: When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be readable. Additionally, with any ZkACLProvider, if the security.json is already present, Solr will not automatically update the ACLs.
Mitigation: Any of the following are enough to prevent this vulnerability:
Solr 8.8.2
or greater.Credit: Timothy Potter and Mike Drob, Apple Cloud Services
References: SOLR-15249: CVE-2021-29262: Misapplied Zookeeper ACLs can result in leakage of configured authentication and authorization settings
Severity: High
Versions Affected: 7.0.0 to 7.7.3 8.0.0 to 8.8.1
Description: When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distributed requests using server credentials instead of original client credentials. This would result in incorrect authorization resolution on the receiving hosts.
Mitigation: Any of the following are enough to prevent this vulnerability:
Solr 8.8.2
or greater.Credit: Geza Nagy
References: SOLR-15233: CVE-2021-29943: Apache Solr Unprivileged users may be able to perform unauthorized read/write to collections
The Lucene PMC is pleased to announce the release of Apache Solr 8.8.1.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 8.8.1 is available for immediate download at:
https://solr.apache.org/downloads.html
Fix for a SolrJ backwards compatibility issue when upgrading the server to 8.8.0 without upgrading SolrJ to 8.8.0. Users are encouraged to use 8.8.1 instead of 8.8.0.
Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:
https://solr.apache.org/guide/8_8/solr-upgrade-notes.html
Please read CHANGES.txt for a full list of bugfixes:
https://solr.apache.org/8_8_1/changes/Changes.html
Solr 8.8.1 also includes bugfixes in the corresponding Apache Lucene release:
https://lucene.apache.org/core/8_8_1/changes/Changes.html
The Apache Software Foundation's board today established Solr as a Top Level Project (TLP). Solr has been a Lucene sub-project since its incubation in 2006, governed by the Lucene PMC, and has since the 3.1 release also shared source code repository with Lucene.
The change was proposed by members of the Lucene PMC, and a vote in June 2020 decided that Solr would be a separate TLP. Later, the Lucene PMC decided that the Solr project would be bootstrapped with the same set of committers and PMC members as the "mother" Lucene project.
The Solr software will not change at all as a result of this, but users will see these changes:
Developers will have to do a number of things to adapt to the change
NOTE: Some things may be in flux during the migration work.
29/01/2021, Apache Solr™ 8.8 available The Lucene PMC is pleased to announce the release of Apache Solr 8.8
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
The release is available for immediate download at:
https://solr.apache.org/downloads.html
Please read CHANGES.txt for a detailed list of changes:
https://solr.apache.org/8_8_0/changes/Changes.html
Solr 8.8.0 Release Highlights
Reducing overseer bottlenecks using per-replica states. More stability and lesser load on large cluster that use this feauture. Better restart and collection creation performance
Interleaving support in Learning To Rank
A summary of important changes is published in the Solr Reference Guide at https://solr.apache.org/guide/8_8/solr-upgrade-notes.html. For the most exhaustive list, see the full release notes at https://solr.apache.org/8_8_0/changes/Changes.html or by viewing the CHANGES.txt file accompanying the distribution. Solr's release notes usually don't include Lucene layer changes. Lucene's release notes are at https://lucene.apache.org/core/8_8_0/changes/Changes.html
3/11/2020, Apache Solr™ 8.7 available The Lucene PMC is pleased to announce the release of Apache Solr 8.7
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
The release is available for immediate download at:
https://solr.apache.org/downloads.html
Please read CHANGES.txt for a detailed list of changes:
https://solr.apache.org/8_7_0/changes/Changes.html
Solr 8.7.0 Release Highlights
SOLR-14588 -- Circuit Breakers Infrastructure and Real JVM Based Circuit Breaker
SOLR-14615 –- CPU Based Circuit Breaker
SOLR-14537 -- Improve performance of ExportWriter
SOLR-14651 -- The MetricsHistoryHandler Can Be Disabled
A summary of important changes is published in the Solr Reference Guide at https://solr.apache.org/guide/8_7/solr-upgrade-notes.html. For the most exhaustive list, see the full release notes at https://solr.apache.org/8_7_0/changes/Changes.html or by viewing the CHANGES.txt file accompanying the distribution. Solr's release notes usually don't include Lucene layer changes. Lucene's release notes are at https://lucene.apache.org/core/8_7_0/changes/Changes.html
Severity: High
Versions Affected: 6.6.0 to 6.6.6 7.0.0 to 7.7.3 8.0.0 to 8.6.2
Description: Solr prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.
Mitigation: Any of the following are enough to prevent this vulnerability:
configset.upload.enabled
to false
(see docs)Solr 8.6.3
or greater.Credit: Tomás Fernández Löbbe, András Salamon
References: SOLR-14925: CVE-2020-13957: The checks added to unauthenticated configset uploads can be circumvented
The Lucene PMC is pleased to announce the release of Apache Solr 8.6.3.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 8.6.3 is available for immediate download at:
https://solr.apache.org/downloads.html
Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:
https://solr.apache.org/guide/8_6/solr-upgrade-notes.html
Please read CHANGES.txt for a full list of bugfixes:
https://solr.apache.org/8_6_3/changes/Changes.html
Solr 8.6.3 also includes bugfixes in the corresponding Apache Lucene release:
https://lucene.apache.org/core/8_6_3/changes/Changes.html
The Lucene PMC is pleased to announce the release of Apache Solr 8.6.2.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 8.6.2 is available for immediate download at:
https://solr.apache.org/downloads.html
Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:
https://solr.apache.org/guide/8_6/solr-upgrade-notes.html
Please read CHANGES.txt for a full list of bugfixes:
https://solr.apache.org/8_6_2/changes/Changes.html
Solr 8.6.2 also includes bugfixes in the corresponding Apache Lucene release:
https://lucene.apache.org/core/8_6_2/changes/Changes.html
Severity: Medium
Versions Affected:
Before Solr 8.6. Some risks are specific to Windows.
Description: Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), released in Solr version 8.6.0. The Replication handler (https://solr.apache.org/guide/8_6/index-replication.html#http-api-commands-for-the-replicationhandler) allows commands backup, restore and deleteBackup. Each of these take a location parameter, which was not validated, i.e you could read/write to any location the solr user can access.
On a windows system SMB paths such as \10.0.0.99\share\folder may also be used, leading to:
Mitigation: Upgrade to Solr 8.6, and/or ensure only trusted clients can make requests of Solr's replication handler.
Credit: Matei "Mal" Badanoiu
The Lucene PMC is pleased to announce the release of Apache Solr 8.6.1.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 8.6.1 is available for immediate download at:
https://solr.apache.org/downloads.html
Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:
https://solr.apache.org/guide/8_6/solr-upgrade-notes.html
Please read CHANGES.txt for a full list of bugfixes:
https://solr.apache.org/8_6_1/changes/Changes.html
Solr 8.6.1 also includes bugfixes in the corresponding Apache Lucene release:
https://lucene.apache.org/core/8_6_1/changes/Changes.html
The Lucene PMC is pleased to announce the release of Apache Solr 8.6.0.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 8.6.0 is available for immediate download at:
https://solr.apache.org/downloads.html
Please read CHANGES.txt for a full list of new features and changes:
https://solr.apache.org/8_6_0/changes/Changes.html
Solr 8.6.0 also includes features, optimizations and bugfixes in the corresponding Apache Lucene release:
https://lucene.apache.org/core/8_6_0/changes/Changes.html
The Lucene PMC is pleased to announce the release of Apache Solr 8.5.2.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 8.5.2 is available for immediate download at:
https://solr.apache.org/downloads.html
Please read CHANGES.txt for a full list of changes:
https://solr.apache.org/8_5_2/changes/Changes.html
Solr 8.5.2 also includes 1 bugfix in the corresponding Apache Lucene release:
https://lucene.apache.org/core/8_5_2/changes/Changes.html
The Lucene PMC is pleased to announce the release of Apache Solr 7.7.3.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 7.7.3 is available for immediate download at:
https://solr.apache.org/downloads.html
Please read CHANGES.txt for a full list of and changes:
https://solr.apache.org/7_7_3/changes/Changes.html
Solr 7.7.3 also includes bugfixes in the corresponding Apache Lucene release:
https://lucene.apache.org/core/7_7_3/changes/Changes.html
The Lucene PMC is pleased to announce the release of Apache Solr 8.5.1
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
This release contains no change over 8.5.0 for Solr. The release is available for immediate download at:
https://solr.apache.org/downloads.html
Solr 8.5.1 also includes one bugfix in the corresponding Apache Lucene release:
https://lucene.apache.org/core/8_5_1/changes/Changes.html
The Lucene PMC is pleased to announce the release of Apache Solr 8.5.0.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 8.5.0 is available for immediate download at:
https://solr.apache.org/downloads.html
Please read CHANGES.txt for a full list of changes:
https://solr.apache.org/8_5_0/changes/Changes.html
Solr 8.5.0 also includes improvements and bugfixes in the corresponding Apache Lucene release:
https://lucene.apache.org/core/8_5_0/changes/Changes.html
The Lucene PMC is pleased to announce the release of Apache Solr 8.4.1.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 8.4.1 is available for immediate download at:
https://solr.apache.org/downloads.html
Please read CHANGES.txt for a full list of changes:
https://solr.apache.org/8_4_1/changes/Changes.html
Solr 8.4.1 also includes and bugfixes in the corresponding Apache Lucene release:
https://lucene.apache.org/core/8_4_1/changes/Changes.html
Severity: High
Vendor:
The Apache Software Foundation
Versions Affected: 5.0.0 to 8.3.1
Description:
The affected versions are vulnerable to a Remote Code Execution through the
VelocityResponseWriter. A Velocity template can be provided through
Velocity templates in a configset velocity/
directory or as a parameter.
A user defined configset could contain renderable, potentially malicious,
templates. Parameter provided templates are disabled by default, but can
be enabled by setting params.resource.loader.enabled
by defining a
response writer with that setting set to true
. Defining a response
writer requires configuration API access.
Solr 8.4 removed the params resource loader entirely, and only enables the
configset-provided template rendering when the configset is trusted
(has
been uploaded by an authenticated user).
Mitigation:
Ensure your network settings are configured so that only trusted traffic
communicates with Solr, especially to the configuration APIs.
Credit:
Github user s00py
References:
The Lucene PMC is pleased to announce the release of Apache Solr 8.4.0.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 8.4.0 is available for immediate download at:
https://solr.apache.org/downloads.html
A summary of important changes is published in the Solr Reference Guide at https://solr.apache.org/guide/8_4/solr-upgrade-notes.html.
Please read CHANGES.txt for a full list of new features and changes:
https://solr.apache.org/8_4_0/changes/Changes.html
Solr 8.4.0 also includes features, optimizations and bugfixes in the corresponding Apache Lucene release:
https://lucene.apache.org/core/8_4_0/changes/Changes.html
The Lucene PMC is pleased to announce the release of Apache Solr 8.3.1.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 8.3.1 is available for immediate download at:
https://solr.apache.org/downloads.html
Please read CHANGES.txt for a full list of changes:
https://solr.apache.org/8_3_1/changes/Changes.html
Solr 8.3.1 also includes and bugfixes in the corresponding Apache Lucene release:
https://lucene.apache.org/core/8_3_1/changes/Changes.html
Severity: High
Vendor:
The Apache Software Foundation
Versions Affected:
Solr 8.1.1 and 8.2.0 for Linux
Description:
The 8.1.1 and 8.2.0 releases of Apache Solr contain an
insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option
in the default solr.in.sh configuration file shipping with Solr.
Windows users are not affected.
If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.
The vulnerability is already public [1] and mitigation steps were announced on project mailing lists and news page [3] on August 14th, without mentioning RCE at that time.
Mitigation:
Make sure your effective solr.in.sh file has ENABLE_REMOTE_JMX_OPTS set
to 'false' on every Solr node and then restart Solr. Note that the
effective solr.in.sh file may reside in /etc/defaults/ or another
location depending on the install. You can then validate that the
'com.sun.management.jmxremote*' family of properties are not listed in
the "Java Properties" section of the Solr Admin UI, or configured in a
secure way.
There is no need to upgrade or update any code.
Remember to follow the Solr Documentation's advice to never expose Solr nodes directly in a hostile network environment.
Credit:
Matei "Mal" Badanoiu
Solr JIRA user 'jnyryan' (John)
References:
[1] https://issues.apache.org/jira/browse/SOLR-13647
[3] https://solr.apache.org/news.html
The Lucene PMC is pleased to announce the release of Apache Solr 8.3.0.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 8.3.0 is available for immediate download at:
https://solr.apache.org/downloads.html
Please read CHANGES.txt for a full list of new features and changes:
https://solr.apache.org/8_3_0/changes/Changes.html
Solr 8.3.0 also includes features, optimizations and bugfixes in the corresponding Apache Lucene release:
https://lucene.apache.org/core/8_3_0/changes/Changes.html
Severity: Medium
Vendor:
The Apache Software Foundation
Versions Affected:
Description:
Solr versions prior to 5.0.0 are vulnerable to an XML resource
consumption attack (a.k.a. Lol Bomb) via it’s update handler. By leveraging
XML DOCTYPE and ENTITY type elements, the attacker can create a pattern
that will expand when the server parses the XML causing OOMs
Mitigation:
Credit:
Matei "Mal" Badanoiu
References:
Severity: Low
Versions Affected:
8.1.1 and 8.2.0 for Linux
Description:
It has been discovered [1] that the 8.1.1 and 8.2.0 releases contain a bad default
setting for the ENABLE_REMOTE_JMX_OPTS setting in the default solr.in.sh file
shipping with Solr.
Windows users and users with custom solr.in.sh files are not affected.
If you are using the default solr.in.sh file from the affected releases, then
JMX monitoring will be enabled and exposed on JMX_PORT (default = 18983),
without any authentication. So if your firewalls allows inbound traffic on
JMX_PORT, then anyone with network access to your Solr nodes will be able to
access monitoring data exposed over JMX.
Mitigation:
Edit solr.in.sh, set ENABLE_REMOTE_JMX_OPTS=false and restart Solr.
Alternatively wait for the future 8.3.0 release and upgrade.
References:
[1] https://issues.apache.org/jira/browse/SOLR-13647
Severity: High
Vendor:
The Apache Software Foundation
Versions Affected:
Description:
The DataImportHandler, an optional but popular module to pull in data from
databases and other sources, has a feature in which the whole DIH
configuration can come from a request's "dataConfig" parameter. The debug
mode of the DIH admin screen uses this to allow convenient debugging /
development of a DIH config. Since a DIH config can contain scripts, this
parameter is a security risk. Starting with version 8.2.0 of Solr, use of
this parameter requires setting the Java System property
enable.dih.dataConfigParam
to true.
Mitigation:
Credit:
Michael Stepankin (JPMorgan Chase)
References:
The Lucene PMC is pleased to announce the release of Apache Solr 8.2.0
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 8.2.0 is available for immediate download at: https://solr.apache.org/downloads.html
Please read CHANGES.txt for a full list of new features and changes:
https://solr.apache.org/8_2_0/changes/Changes.html
Solr 8.2.0 also includes many other new features as well as numerous optimizations and bugfixes of the corresponding Apache Lucene release:
https://lucene.apache.org/core/8_2_0/changes/Changes.html
The Lucene PMC is pleased to announce the release of Apache Solr 7.7.2.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 7.7.2 is available for immediate download at:
https://solr.apache.org/downloads.html
Please read CHANGES.txt for a full list of and changes:
https://solr.apache.org/7_7_2/changes/Changes.html
Solr 7.7.2 also includes bugfixes in the corresponding Apache Lucene release:
https://lucene.apache.org/core/7_7_2/changes/Changes.html
The Lucene PMC is pleased to announce the release of Apache Solr 8.1.1
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 8.1.1 is available for immediate download at: https://solr.apache.org/downloads.html
Please read CHANGES.txt for a full list of new features and changes:
https://solr.apache.org/8_1_1/changes/Changes.html
The Lucene PMC is pleased to announce the release of Apache Solr 8.1.0
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 8.1.0 is available for immediate download at: https://solr.apache.org/downloads.html
Please read CHANGES.txt for a full list of new features and changes:
https://solr.apache.org/8_1_0/changes/Changes.html
Solr 8.1.0 also includes many other new features as well as numerous optimizations and bugfixes of the corresponding Apache Lucene release:
https://lucene.apache.org/core/8_1_0/changes/Changes.html
The Lucene PMC is pleased to announce the release of Apache Solr 6.6.6
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 6.6.6 is available for immediate download at:
http://archive.apache.org/dist/lucene/solr/6.6.6
Please read CHANGES.txt for a full list of new features and changes:
https://solr.apache.org/6_6_6/changes/Changes.html
The Lucene PMC is pleased to announce the release of Apache Solr 8.0.0
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 8.0.0 is available for immediate download at: https://solr.apache.org/downloads.html
Please read CHANGES.txt for a full list of new features and changes:
https://solr.apache.org/8_0_0/changes/Changes.html
Solr now uses HTTP/2 for inter-node communication to attain greater efficiency. Details: Solr is switching from Apache HttpClient to Jetty Client for adding HTTP/2 support. Most frequent inter-communication between nodes like indexing and query are now sent in HTTP/2. HTTP/1.1 practically allows only one outstanding request per TCP connection this means that for sending multiple requests at the same time multiple TCP connections must be established. This leads to waste of resources on both-sides and long GC-pause. Solr 8 with HTTP/2 support overcomes that problem by allowing multiple requests can be sent in parallel using a same TCP connection.
Nested documents (AKA child documents or block join) is significantly improved. Most improvements come from storing and leveraging more information about the relationships in the index, like the named relationship between a child and its parent. This information is used by the [child] doc transformer to return children in nested form instead of flat. There is plenty more that can be done with this in the future. Another key improvement is that nested documents can be deleted or replaced in a natural way without orphaning child documents; although care is still needed with delete-by-query.
Being a major release, Solr 8 removes many deprecated APIs, changes various parameter defaults and behavior. Some changes may require a re-index of your content. You are thus encouraged to thoroughly read the "Upgrade Notes" at:
https://solr.apache.org/8_0_0/changes/Changes.html
Solr 8.0 also includes many other new features as well as numerous optimizations and bugfixes of the corresponding Apache Lucene release:
https://lucene.apache.org/core/8_0_0/changes/Changes.html
The Lucene PMC is pleased to announce that the Solr Reference Guide for 7.7 is now available. This 1,431-page PDF is the definitive guide to using Apache Solr, the search server built on Lucene.
The PDF Guide can be downloaded from: https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-7.7.pdf. It is also available online at https://solr.apache.org/guide/7_7.
Severity: High
Vendor:
The Apache Software Foundation
Versions Affected:
Description:
ConfigAPI allows to configure Solr's JMX server via an HTTP POST request.
By pointing it to a malicious RMI server, an attacker could take advantage
of Solr's unsafe deserialization to trigger remote code execution on the
Solr side.
Mitigation:
Any of the following are enough to prevent this vulnerability:
Credit:
Michael Stepankin
References:
The Lucene PMC is pleased to announce the release of Apache Solr 7.7.1
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 7.7.1 is available for immediate download at: https://solr.apache.org/downloads.html
Please read CHANGES.txt for a full list of new features and changes:
https://solr.apache.org/7_7_1/changes/Changes.html
Bugfix for ClassCastException when URPs try to read a String field which returns a ByteArrayUTF8CHarSequence (a regression in release 7.7.0).
Bugfix: Autoscaling based replica placement was broken out of the box. Solr 7.6 enabled autoscaling based replica placement by default but in the absence of default cluster policies, autoscaling can place more than 1 replica of the same shard on the same node. Also, the maxShardsPerNode and createNodeSet was not respected. Due to these reasons, this issue reverts the default replica placement policy to the 'legacy' assignment policy that was the default until Solr 7.5.
Severity: High
Vendor:
The Apache Software Foundation
Versions Affected: Apache Solr versions from 1.3 to 7.6.0
Description:
The "shards" parameter does not have a corresponding whitelist mechanism,
so it can request any URL.
Mitigation:
Upgrade to Apache Solr 7.7.0 or later.
Ensure your network settings are configured so that only trusted traffic is
allowed to ingress/egress your hosts running Solr.
Credit:
dk from Chaitin Tech
References:
The Lucene PMC is pleased to announce the release of Apache Solr 7.7.0
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 7.7.0 is available for immediate download at: https://solr.apache.org/downloads.html
Please read CHANGES.txt for a full list of new features and changes:
https://solr.apache.org/7_7_0/changes/Changes.html
The Lucene PMC is pleased to announce the release of Apache Solr 7.6.0
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 7.6.0 is available for immediate download at: https://solr.apache.org/downloads.html
Please read CHANGES.txt for a full list of new features and changes:
https://solr.apache.org/7_6_0/changes/Changes.html
uninvertible
option to control using costly field cache or more efficient docValues.The Lucene PMC is pleased to announce the release of Apache Solr 7.5.0
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 7.5.0 is available for immediate download at: https://solr.apache.org/downloads.html
Please read CHANGES.txt for a full list of new features and changes:
https://solr.apache.org/7_5_0/changes/Changes.html
The Lucene PMC is pleased to announce the release of Apache Solr 6.6.5
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 6.6.5 is available for immediate download at:
http://archive.apache.org/dist/lucene/solr/6.6.5
Please read CHANGES.txt for a full list of new features and changes:
https://solr.apache.org/6_6_5/changes/Changes.html
The Lucene PMC is pleased to announce the release of Apache Solr 7.4.0
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 7.4.0 is available for immediate download at:
https://solr.apache.org/downloads.html
Please read CHANGES.txt for a full list of new features and changes:
https://solr.apache.org/7_4_0/changes/Changes.html
The Lucene PMC is pleased to announce the release of Apache Solr 6.6.4
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
This release includes a bug fix since the 6.6.3 release:
The release is available for immediate download at:
https://www.apache.org/dyn/closer.lua/lucene/solr/6.6.4
Please read CHANGES.txt for a detailed list of changes:
https://solr.apache.org/6_6_4/changes/Changes.html
The Lucene PMC is pleased to announce the release of Apache Solr 7.3.1
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
This release includes 9 bug fixes since the 7.3.0 release. Some of the major fixes are:
Furthermore, this release includes Apache Lucene 7.3.1 which includes 1 bug fix since the 7.3.0 release.
The release is available for immediate download at:
https://www.apache.org/dyn/closer.lua/lucene/solr/7.3.1
Please read CHANGES.txt for a detailed list of changes:
https://solr.apache.org/7_3_1/changes/Changes.html
CVE-2018-1308: XXE attack through Apache Solr's DIH's dataConfig request parameter
Severity: Major
Vendor:
The Apache Software Foundation
Versions Affected:
Description:
The details of this vulnerability were reported to the Apache Security mailing list.
This vulnerability relates to an XML external entity expansion (XXE) in the
&dataConfig=<inlinexml>
parameter of Solr's DataImportHandler. It can be
used as XXE using file/ftp/http protocols in order to read arbitrary local
files from the Solr server or the internal network. See [1] for more details.
Mitigation:
Users are advised to upgrade to either Solr 6.6.3 or Solr 7.3.0 releases both
of which address the vulnerability. Once upgrade is complete, no other steps
are required. Those releases disable external entities in anonymous XML files
passed through this request parameter.
If users are unable to upgrade to Solr 6.6.3 or Solr 7.3.0 then they are
advised to disable data import handler in their solrconfig.xml file and
restart their Solr instances. Alternatively, if Solr instances are only used
locally without access to public internet, the vulnerability cannot be used
directly, so it may not be required to update, and instead reverse proxies or
Solr client applications should be guarded to not allow end users to inject
dataConfig
request parameters. Please refer to [2] on how to correctly
secure Solr servers.
Credit:
麦 香浓郁
References:
[1] https://issues.apache.org/jira/browse/SOLR-11971
[2] https://cwiki.apache.org/confluence/display/solr/SolrSecurity
The Lucene PMC is pleased to announce the release of Apache Solr 7.3.0
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 7.3.0 is available for immediate download at:
https://solr.apache.org/downloads.html
Please read CHANGES.txt for a full list of new features and changes:
https://solr.apache.org/7_3_0/changes/Changes.html
The Apache Solr Reference Guide for 7.3 is also available in PDF form or online.
The Lucene PMC is pleased to announce the release of Apache Solr 6.6.3.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
This release contains three bugfixes:
The release is available for immediate download at:
https://solr.apache.org/mirrors-solr-redir.html
Please read CHANGES.txt for a detailed list of changes:
https://solr.apache.org/6_6_3/changes/Changes.html
The Lucene PMC is pleased to announce the release of Apache Solr 7.2.1
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
This release includes 3 bug fixes since the 7.2.0 release:
Overseer can never process some last messages.
Rename core in solr standalone mode is not persisted.
QueryComponent's rq parameter parsing no longer considers the defType parameter.
Fix NPE in SolrQueryParser when the query terms inside a filter clause reduce to nothing.
Furthermore, this release includes Apache Lucene 7.2.1 which includes 1 bug fix since the 7.2.0 release.
The release is available for immediate download at:
https://www.apache.org/dyn/closer.lua/lucene/solr/7.2.1
Please read CHANGES.txt for a detailed list of changes:
https://solr.apache.org/7_2_1/changes/Changes.html
The Lucene PMC is pleased to announce the release of Apache Solr 7.2.0
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 7.2.0 is available for immediate download at:
https://solr.apache.org/downloads.html
Please read CHANGES.txt for a full list of new features and changes:
https://solr.apache.org/7_2_0/changes/Changes.html
The Lucene PMC is pleased to announce that the Solr Reference Guide for 7.1 is now available.
This 1,077-page PDF is the definitive guide to using Apache Solr, the search server built on Lucene.
The PDF Guide can be downloaded from: https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-7.1.pdf.
It is also available online at https://solr.apache.org/guide/7_1.
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Description:
Apache Solr uses Apache Tika for parsing binary file types such as
doc, xls, pdf etc. Apache Tika wraps the jmatio parser
(https://github.com/gradusnikov/jmatio) to handle MATLAB files. The
parser uses native deserialization on serialized Java objects embedded
in MATLAB files. A malicious user could inject arbitrary code into a
MATLAB file that would be executed when the object is deserialized.
This vulnerability was originally described at http://mail-archives.apache.org/mod_mbox/tika-user/201611.mbox/%3C2125912914.1308916.1478787314903%40mail.yahoo.com%3E
Mitigation:
Users are advised to upgrade to either Solr 5.5.5 or Solr 6.6.2 or Solr 7.1.0
releases which have fixed this vulnerability.
Solr 5.5.5 upgrades the jmatio parser to v1.2 and disables the Java deserialisation support to protect against this vulnerability.
Solr 6.6.2 and Solr 7.1.0 have upgraded the bundled Tika to v1.16.
Once upgrade is complete, no other steps are required.
References:
The Lucene PMC is pleased to announce the release of Apache Solr 5.5.5.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
This release contains one bugfix.
This release includes one critical and one important security fix. Details:
Fix for a 0-day exploit (CVE-2017-12629), details: https://s.apache.org/FJDl. RunExecutableListener has been disabled by default (can be enabled by -Dsolr.enableRunExecutableListener=true) and resolving external entities in the XML query parser (defType=xmlparser or {!xmlparser ... }) is disabled by default.
Fix for CVE-2017-7660: Security Vulnerability in secure inter-node communication in Apache Solr, details: https://s.apache.org/APTY
Furthermore, this release includes Apache Lucene 5.5.5 which includes one security fix since the 5.5.4 release.
The release is available for immediate download at:
https://www.apache.org/dyn/closer.lua/lucene/solr/5.5.5
Please read CHANGES.txt for a detailed list of changes:
https://solr.apache.org/5_5_5/changes/Changes.html
The Lucene PMC is pleased to announce the release of Apache Solr 6.6.2
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Critical security fix: Fix for a 0-day exploit (CVE-2017-12629), details: https://s.apache.org/FJDl. RunExecutableListener has been disabled by default (can be enabled by -Dsolr.enableRunExecutableListener=true) and resolving external entities in the XML query parser (defType=xmlparser or {!xmlparser ... }) is disabled by default.
Fix for a bug where Solr was attempting to load the same core twice (Error message: "Lock held by this virtual machine").
The release is available for immediate download at:
https://www.apache.org/dyn/closer.lua/lucene/solr/6.6.2
Please read CHANGES.txt for a detailed list of changes:
https://solr.apache.org/6_6_2/changes/Changes.html
Severity:
Critical
Vendor:
The Apache Software Foundation
Versions Affected:
Description:
The details of this vulnerability were reported on public mailing
lists. See https://s.apache.org/FJDl
The first vulnerability relates to XML external entity expansion in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser. This can be exploited to upload malicious data to the /upload request handler. It can also be used as Blind XXE using ftp wrapper in order to read arbitrary local files from the solr server.
The second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr.
At the time of the above report, this was a 0-day vulnerability with a working exploit affecting the versions of Solr mentioned in the previous section. However, mitigation steps were announced to protect Solr users the same day. See https://solr.apache.org/news.html#12-october-2017-please-secure-your-apache-solr-servers-since-a-zero-day-exploit-has-been-reported-on-a-public-mailing-list
Mitigation:
Users are advised to upgrade to either Solr 6.6.2 or Solr 7.1.0
releases both of which address the two vulnerabilities. Once upgrade is
complete, no other steps are required.
If users are unable to upgrade to Solr 6.6.2 or Solr 7.1.0 then they
are advised to restart their Solr instances with the system parameter
-Ddisable.configEdit=true
. This will disallow any changes to be made
to your configurations via the Config API. This is a key factor in
this vulnerability, since it allows GET requests to add the
RunExecutableListener to your config. Users are also advised to re-map
the XML Query Parser to another parser to mitigate the XXE
vulnerability. For example, adding the following to the solrconfig.xml
file re-maps the xmlparser to the edismax parser:
<queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin"/>
Credit:
References:
The Lucene PMC is pleased to announce the release of Apache Solr 7.1.0
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
The release is available for immediate download at:
https://www.apache.org/dyn/closer.lua/lucene/solr/7.1.0
Please read CHANGES.txt for a full list of new features and changes:
https://solr.apache.org/7_1_0/changes/Changes.html
Critical Security Update: Fix for CVE-2017-12629 which is a working 0-day exploit reported on the public mailing list.
Auto-scaling: Solr can now move replicas automatically when a new node is added or an existing node is removed using the auto scaling policy framework introduced in 7.0
Auto-scaling: The 'autoAddReplicas' feature which was limited to shared file systems is now available for all file systems. It has been ported to use the new autoscaling framework internally.
Auto-scaling: New set-trigger, remove-trigger, set-listener, remove-listener, suspend-trigger, resume-trigger APIs
Auto-scaling: New /autoscaling/history API to show past autoscaling actions and cluster events
New JSON based Query DSL for Solr that extends JSON Request API to also support all query parsers and their nested parameters
JSON Facet API: min/max aggregations are now supported on single-valued date fields
Lucene's Geo3D (surface of sphere & ellipsoid) is now supported on spatial RPT fields by setting spatialContextFactory="Geo3D". Furthermore, this is the first time Solr has out of the box support for polygons
Expanded support for statistical stream evaluators such as various distributions, rank correlations, distances and more.
Multiple other optimizations and bug fixes
You are encouraged to thoroughly read the "Upgrade Notes" at https://solr.apache.org/7_1_0/changes/Changes.html or in the CHANGES.txt file accompanying the release.
Solr 7.1 also includes many other new features as well as numerous optimizations and bugfixes of the corresponding Apache Lucene release.
Please secure your Solr servers since a zero-day exploit has been reported on a public mailing list. This has been assigned a public CVE (CVE-2017-12629) which we will reference in future communication about resolution and mitigation steps.
Here is what we're recommending and what we're doing now:
Until fixes are available, all Solr users are advised to restart their
Solr instances with the system property -Ddisable.configEdit=true
.
This will disallow any changes to be made to configurations via the
Config API. This is a key factor in this vulnerability, since it allows
GET requests to add the RunExecutableListener to the config. This is
sufficient to protect you from this type of attack, but means you cannot
use the edit capabilities of the Config API until the other fixes
described below are in place. Users are also advised to remap
the XML Query Parser to another parser to mitigate the XXE
vulnerability. For example, adding the following to the solrconfig.xml
file maps the xmlparser
to the edismax
parser:
<queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin"/>
.
A new release of Lucene/Solr was in the vote phase, but we have now pulled it back to be able to address these issues in the upcoming 7.1 release. We will also determine mitigation steps for users on earlier versions, which may include a 6.6.2 release for users still on 6.x.
The RunExecutableListener will be removed in 7.1. It was previously used by Solr for index replication but has been replaced and is no longer needed.
The XML Parser will be fixed and the fixes will be included in the 7.1 release.
The 7.1 release was already slated to include a change to disable the
stream.body
parameter by default, which will further help protect
systems.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 7.0.1 is available for immediate download at: https://solr.apache.org/downloads.html
This release includes 2 bug fixes since the 7.0.0 release:
Solr 7.0 cannot read indexes from 6.x versions.
Message "Lock held by this virtual machine" during startup. Solr is trying to start some cores twice.
Furthermore, this release includes Apache Lucene 7.0.1 which includes 1 bug fix since the 7.0.0 release.
The release is available for immediate download at:
https://www.apache.org/dyn/closer.lua/lucene/solr/7.0.1
Please read CHANGES.txt for a detailed list of changes:
https://solr.apache.org/7_0_1/changes/Changes.html
The Lucene PMC is pleased to announce the release of the Apache Solr Reference Guide for Solr 7.0.
This 1,035-page PDF is the definitive guide to Solr. This version adds documentation for new features of Solr, plus detailed information about changes and deprecations you should know about when upgrading from Solr 6.x to Solr 7.0.
You can download the PDF from: https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-7.0.pdf.
An HTML version is also available from: https://solr.apache.org/guide/7_0/.
The Lucene PMC is pleased to announce the release of Apache Solr 7.0.0
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 7.0.0 is available for immediate download at: https://solr.apache.org/downloads.html
Replica Types - Solr 7 supports different replica types, which handle updates differently. In addition to pure NRT operation where all replicas build an index and keep a replication log, you can now also add so called PULL replicas, achieving the read-speed optimized benefits of a master/slave setup while at the same time keeping index redundancy.
Auto-scaling. Solr can now allocate new replicas to nodes using a new auto scaling policy framework. This framework will in future releases enable Solr to move shards around based on load, disk etc.
Indented JSON is now the default response format for all APIs, pass wt=xml and/or indent=off to use the previous unindented XML format.
The JSON Facet API now supports two-phase facet refinement to ensure accurate counts and statistics for facet buckets returned in distributed mode.
Streaming Expressions adds a new statistical programming syntax for the statistical analysis of sql queries, random samples, time series and graph result sets.
Analytics Component version 2.0, which now supports distributed collections, expressions over multivalued fields, a new JSON request language, and more.
The new v2 API, exposed at /api/ and also supported via SolrJ, is now the preferred API, but /solr/ continues to work.
A new '_default' configset is used if no config is specified at collection creation. The data-driven functionality of this configset indexes strings as analyzed text while at the same time copying to a '*_str' field suitable for faceting.
Solr 7 is tested with and verified to support Java 9.
See the Solr CHANGES.txt files included with the release for a full list of details.
CVE-2017-9803: Security vulnerability in kerberos delegation token functionality
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Solr 6.2.0 to 6.6.0
Description:
Solr's Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an end-user or another application. There are two issues with this functionality (when using SecurityAwareZkACLProvider type of ACL provider e.g. SaslZkACLProvider),
Firstly, access to the security configuration can be leaked to users other than the solr super user. Secondly, malicious users can exploit this leaked configuration for privilege escalation to further expose/modify private data and/or disrupt operations in the Solr cluster.
The vulnerability is fixed from Solr 6.6.1 onwards.
Mitigation:
6.x users should upgrade to 6.6.1
Credit:
This issue was discovered by Hrishikesh Gadre of Cloudera Inc.
References:
The Lucene PMC is pleased to announce the release of Apache Solr 6.6.1
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 6.6.1 is available for immediate download at: https://solr.apache.org/downloads.html
This release includes 15 bug fixes since the 6.6.0 release. Some of the major fixes are:
Standalone Solr loads UNLOADed core on request
ParallelStream should set the StreamContext when constructing SolrStreams
CloudSolrStream.toExpression incorrectly handles fq clauses
CoreContainer.load needs to send lazily loaded core descriptors to the proper list rather than send them all to the transient lists
Creating a core should write a core.properties file first and clean up on failure
Clean up a few details left over from pluggable transient core and untangling
Provide a way to know when Core Discovery is finished and when all async cores are done loading
CDCR bootstrapping can get into an infinite loop when a core is reloaded
SolrJmxReporter is broken on core reload. This resulted in some or most metrics not being reported via JMX after core reloads, depending on timing
Creating a core.properties fails if the parent of core.properties is a symlinked directory
StreamHandler should allow connections to be closed early
Certain admin UI pages would not load up correctly with kerberos enabled
Fix DOWNNODE -> queue-work znode explosion in ZooKeeper
Upgrade to Hadoop 2.7.4 to fix incompatibility with Java 9
Fix bin/solr.cmd so it can run properly on Java 9
Furthermore, this release includes Apache Lucene 6.6.1 which includes 2 bug fixes since the 6.6.0 release.
See the Solr CHANGES.txt files included with the release for a full list of details.
CVE-2017-7660: Security Vulnerability in secure inter-node communication in Apache Solr
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Description:
Solr uses a PKI based mechanism to secure inter-node communication
when security is enabled. It is possible to create a specially crafted
node name that does not exist as part of the cluster and point it to a
malicious node. This can trick the nodes in cluster to believe that
the malicious node is a member of the cluster. So, if Solr users have
enabled BasicAuth authentication mechanism using the BasicAuthPlugin
or if the user has implemented a custom Authentication plugin, which
does not implement either "HttpClientInterceptorPlugin" or
"HttpClientBuilderPlugin", his/her servers are vulnerable to this
attack. Users who only use SSL without basic authentication or those
who use Kerberos are not affected.
Mitigation:
Credit:
This issue was discovered by Noble Paul of Lucidworks Inc.
References:
The Lucene PMC is pleased to announce the release of Apache Solr 6.6.0
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 6.6.0 is available for immediate download at: https://solr.apache.org/downloads.html
Payload support with payload() value source and {!payload_score} and {!payload_check} query parsers
Solr support for SimpleTextCodec
Multi-field support to TermsComponent when requesting terms' statistics
New AtomicUpdateProcessor to convert normal update operations to atomic update operations
UPLOAD command (Config Set API) for uploading zipped configsets
MOVEREPLICA command (Collections API) for moving a replica across nodes
LISTALIASES command (Collections API) to return a list of all collection aliases
STATUS command (Core Admin API) to emit collection details of each core
Basic authentication can be enabled/disabled using bin/solr|bin/solr.cmd
Solr default/example uses WordDelimiterGraphFilterFactory and SynonymGraphFilterFactory
Expose cache statistics using metrics API
CloudSolrClient can now be initialized using the base URL of a Solr instance instead of ZooKeeper hosts
Grouping, CollapseQParser and ExpandComponent support with PointFields
Variance and Standard Deviation aggregators for the JSON Facet API
JSON Faceting now supports a query time 'join' domain change option
CartesianProductStream, which turns a single tuple with a multi-valued field into N tuples, one for each value in the multi-valued field
New Streaming Evaluators: Basic math, UUID, Date/time, correlation, regress, predict, covariance, convolution, normalize
New Streaming Expressions: shuffle, echo, eval, timeseries, let, get, tuple
See the Solr CHANGES.txt files included with the release for a full list of details.
The Lucene PMC is pleased to announce the release of Apache Solr 6.5.1
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 6.5.1 is available for immediate download at: https://solr.apache.org/downloads.html
This release includes 11 bug fixes since the 6.5.0 release. Some of the major fixes are:
bin\solr.cmd delete and healthcheck now works again; fixed continuation chars ^
Fix debug related NullPointerException in solr/contrib/ltr OriginalScoreFeature class.
The JSON output of /admin/metrics is fixed to write the container as a map (SimpleOrderedMap) instead of an array (NamedList).
On 'downnode', lots of wasteful mutations are done to ZK.
Fix params persistence for solr/contrib/ltr (MinMax|Standard)Normalizer classes.
The fetch() streaming expression wouldn't work if a value included query syntax chars (like :+-). Fixed, and enhanced the generated query to not pollute the queryCache.
Disable graph query production via schema configuration <fieldtype ... enableGraphQueries="false">
. This fixes broken queries for ShingleFilter-containing query-time analyzers when request param sow=false.
Fix indexed="false" on numeric PointFields
SQL AVG function mis-interprets field type.
SQL interface does not use client cache.
edismax with sow=false fails to create dismax-per-term queries when any field is boosted.
Furthermore, this release includes Apache Lucene 6.5.1 which includes 3 bug fixes since the 6.5.0 release.
See the Solr CHANGES.txt files included with the release for a full list of details.
The Lucene PMC is pleased to announce the release of Apache Solr 6.5.0.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 6.5.0 is available for immediate download at: https://solr.apache.org/downloads.html
PointFields (fixed-width multi-dimensional numeric & binary types enabling fast range search) are now supported
In-place updates to numeric docValues fields (single valued, non-stored, non-indexed) supported using atomic update syntax
A new LatLonPointSpatialField that uses points or doc values for query
It is now possible to declare a field as "large" in order to bypass the document cache
New sow=false request param (split-on-whitespace) for edismax & standard query parsers enables query-time multi-term synonyms
XML QueryParser (defType=xmlparser) now supports span queries
hl.maxAnalyzedChars now have consistent default across highlighters
UnifiedSolrHighlighter and PostingsSolrHighlighter now support CustomSeparatorBreakIterator
Scoring formula is adjusted for the scoreNodes function
Calcite Planner now applies constant Reduction Rules to optimize plans
A new significantTerms Streaming Expression that is able to extract the significant terms in an index
StreamHandler is now able to use runtimeLib jars
Arithmetic operations are added to the SelectStream
Added modernized self-documenting /v2 API
The .system collection is now created on first request if it does not exist
Admin UI: Added shard deletion button
Metrics API now supports non-numeric metrics (version, disk type, component state, system properties...)
The disk free and aggregated disk free metrics are now reported
The DirectUpdateHandler2 now implements MetricsProducer and exposes stats via the metrics api and configured reporters.
BlockCache is faster due to less failures when caching a new block
MMapDirectoryFactory now supports "preload" option to ask mapped pages to be loaded into physical memory on init
Security: BasicAuthPlugin now supports standalone mode
Arbitrary java system properties can be passed to zkcli
SolrHttpClientBuilder can be configured via java system property
Javadocs and Changes.html are no longer included in the binary distribution, but are hosted online
See the Solr CHANGES.txt files included with the release for a full list of details.
The Lucene PMC is pleased to announce the release of Apache Solr 6.4.2.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 6.4.2 is available for immediate download at: https://solr.apache.org/downloads.html
Fixed: Serious performance degradation in Solr 6.4 due to the metrics collection. IndexWriter metrics collection turned off by default, directory level metrics collection completely removed (until a better design is found)
Fixed: Transaction log replay can hit an NullPointerException due to new Metrics code
Fixed: NullPointerException in CloudSolrClient when reading stale alias
Fixed: UnifiedHighlighter and PostingsHighlighter bug in PrefixQuery and TermRangeQuery for multi-byte text
See the Solr CHANGES.txt files included with the release for a full list of details.
The Lucene PMC is pleased to announce that the Solr Reference Guide for Solr 6.4 has been released.
This 763-page PDF is the definitive guide to using Apache Solr. It can be downloaded from:
https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-6.4.pdf
The Lucene PMC is pleased to announce the release of Apache Solr 5.5.4.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 5.5.4 is available for immediate download at: https://solr.apache.org/downloads.html
Better validation of filename params in ReplicationHandler
Upgraded commons-fileupload to 1.3.2, fixing a potential vulnerability CVE-2016-3092
See the Solr CHANGES.txt files included with the release for a full list of details.
CVE-2017-3163: Apache Solr ReplicationHandler path traversal attack
Severity: Moderate
Vendor:
The Apache Software Foundation
Versions Affected:
Solr 1.4 to 6.4.0
Description:
When using the Index Replication feature, Solr nodes can pull index files from
a master/leader node using an HTTP API which accepts a file name. However,
Solr did not validate the file name, hence it was possible to craft a special
request involving path traversal, leaving any file readable to the Solr server
process exposed. Solr servers protected and restricted by firewall rules
and/or authentication would not be at risk since only trusted clients and users
would gain direct HTTP access.
Mitigation:
Credit:
This issue was discovered by Hrishikesh Gadre of Cloudera Inc.
References:
The Lucene PMC is pleased to announce the release of Apache Solr 6.4.1.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 6.4.1 is available for immediate download at: https://solr.apache.org/downloads.html
"Plugin/Stats" section of the UI doesn't display empty metric types
SOLR_SSL_OPTS was mistakenly overwritten in solr.cmd
Better validation of filename params in ReplicationHandler
Core swapping did not work with new metrics changes in place
Admin UI could not find DataImport handlers due to metrics changes
AnalyzingInfixSuggester/BlendedInfixSuggester now work with core reload
See the Solr CHANGES.txt files included with the release for a full list of details.
The Lucene PMC is pleased to announce the release of Apache Solr 6.4.0.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 6.4.0 is available for immediate download at: https://solr.apache.org/downloads.html
Streaming:
Addition of a HavingStream to Streaming API and Streaming Expressions
Addition of a priority Streaming Expression
Streaming expressions now support collection aliases
Machine Learning:
Faceting:
Added "param" query type to facet domain filter specification to obtain filters via query parameters
Any facet command can be filtered using a new parameter filter. Example: { type:terms, field:category, filter:"user:yonik" }
Scripts / Command line:
A new command-line tool to manage the snapshots functionality
bin/solr and bin/solr.cmd now use mkroot command
SolrCloud / SolrJ
LukeResponse now supports dynamic fields
Solrj client now supports hierarchical clusters and other topics marker
Collection backup/restore are extensible.
Security:
Support Secure Impersonation / Proxy User for Solr authentication
Key Store type can be specified in solr.in.sh file for SSL
New generic authentication plugins: 'HadoopAuthPlugin' and 'ConfigurableInternodeAuthHadoopPlugin' that delegate all functionality to Hadoop authentication framework
Query / QueryParser / Highlighting:
A new highlighter: The Unified Highlighter. Try it via hl.method=unified
; many popular highlighting parameters / features are supported. It's the highest performing highlighter, especially for large documents. Highlighting phrase queries and exotic queries are supported equally as well as the Original Highlighter (aka the default/standard one). Please use this new highlighter and report issues since it will likely become the default one day.
Leading wildcard in complexphrase query parser are now accepted and optimized with the ReversedWildcardFilterFactory
when it's provided
Metrics:
Use metrics-jvm library to instrument jvm internals such as GC, memory usage and others.
A lot of metrics have been added to the collection: index merges, index store I/Os, query, update, core admin, core load thread pools, shard replication, tlog replay and replicas
A new /admin/metrics API to return all metrics collected by Solr via API.
Misc changes:
The new config parameter 'maxRamMB'can now limit the memory consumed by the FastLRUCache
A new document processor 'SkipExistingDocumentsProcessor' that skips duplicate inserts and ignores updates to missing docs
FieldCache information fetched via the mbeans handler or seen via the UI now displays the total size used.
A new config flag 'enable' allows to enable/disable any cache
Please note, this release cannot be built from source with Java 8 update 121, use an earlier version instead! This is caused by a bug introduced into the Javadocs tool shipped with that update. The workaround was too late for this Lucene release. Of course, you can use the binary artifacts.
See the Solr CHANGES.txt files included with the release for a full list of details.
The Lucene PMC is pleased to announce that the Solr Reference Guide for Solr 6.3 has been released.
This 736-page PDF is the definitive guide to using Apache Solr. It can be downloaded from:
https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-6.3.pdf
The Lucene PMC is pleased to announce the release of Apache Solr 6.3.0.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 6.3.0 is available for immediate download at: https://solr.apache.org/downloads.html
DocValues, streaming, /export, machine learning
Optimize, store and deploy AI models in Solr
Ability to add custom streaming expressions
New streaming expressions such as "fetch", "executor", and "commit" added.
Parallel SQL accepts <, >, =, etc., symbols.
Support facet scoring with the scoreNodes expression
Retrieving docValues as stored values was sped up by using the proper leaf reader rather than ask for a global view. In extreme cases, this leads to a 100x speedup.
Faceting:
facet.method=enum can bypass exact counts calculation with facet.exists=true, it just returns 1 for terms which exists in result docset
Add "overrequest" parameter to JSON Facet API to control amount of overrequest on a distributed terms facet
Logging:
You can now set Solr's log level through environment variable SOLR_LOG_LEVEL
GC logs are rotated by JVM to a max of 9 files, and backed up via bin/solr scripts
Solr's logging verbosity at the INFO level has been greatly reduced by moving much logging to DEBUG level
The solr-8983-console.log file now only logs STDOUT and STDERR output, not all log4j logs as before
Solr's main log file, solr.log, is now written to SOLR_LOGS_DIR without changing log4j.properties
Start scripts:
Allow 180 seconds for shutdown before killing solr (configurable, old limit 5s) (Unix only)
Start scripts now exits with informative message if using wrong Java version
Fixed "bin/solr.cmd zk upconfig" command which was broken on windows
You can now ask for DEBUG logging simply with '-v' option, and for WARN logging with '-q' option
SolrCloud:
The DELETEREPLICA API can accept a 'count' parameter and remove "count" number of replicas from each shard if the shard name is not provided
The config API shows expanded useParams for request handlers inline
Ability to create/delete/list snapshots at collection level
The modify collection API now waits for the modified properties to show up in the cluster state before returning
Many bug fixes related to SolrCloud recovery for data safety and faster recovery times.
Security:
SolrJ now supports Kerberos delegation tokens
Pooled SSL connections were not being re-used. This is now fixed.
Fix for the blockUnknown property which made inter-node communication impossible
Support SOLR_AUTHENTICATION_OPTS and SOLR_AUTHENTICATION_CLIENT_CONFIGURER in windows bin/solr.cmd script
New parameter -u
Misc changes:
Optimizations to lower memory allocations when indexing JSON as well as for replication between solr cloud nodes.
A new Excel workbook (.xlsx) response writer has been added. Use 'wt=xlsx' request parameter on a query request to enable.
See the Solr CHANGES.txt files included with the release for a full list of details.
The Lucene PMC is pleased to announce the release of Apache Solr 6.2.1
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
This release includes 11 bug fixes since the 6.2.0 release. Some of the major fixes are:
SOLR-9490: BoolField always returning false for non-DV fields when javabin involved (via solrj, or intra node communication)
SOLR-9188: BlockUnknown property makes inter-node communication impossible
SOLR-9389: HDFS Transaction logs stay open for writes which leaks Xceivers
SOLR-9438: Shard split can fail to write commit data on shutdown leading to data loss
Furthermore, this release includes Apache Lucene 6.2.1 which includes 3 bug fixes since the 6.2.0 release.
The release is available for immediate download at: https://www.apache.org/dyn/closer.lua/lucene/solr/6.2.1
See the CHANGES.txt file included with the release for a detailed list of changes.
The Lucene PMC is pleased to announce that the Solr Reference Guide for Solr 6.2 has been released.
This 717-page PDF is the definitive guide to using Apache Solr. It can be downloaded from:
https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-6.2.pdf
The Lucene PMC is pleased to announce the release of Apache Solr 5.5.3
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
This release includes 5 bug fixes since the 5.5.2 release.
This release specially contains 2 critical fixes: * The number of TCP connections in CLOSE_WAIT state do not spike during indexing, * PeerSync no longer fails on a node restart due to IndexFingerPrint mismatch.
The release is available for immediate download at: https://www.apache.org/dyn/closer.lua/lucene/solr/5.5.3
See the CHANGES.txt file included with the release for a detailed list of changes.
The Lucene PMC is pleased to announce the release of Apache Solr 6.2.0.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 6.2.0 is available for immediate download at: https://solr.apache.org/downloads.html
Solr 6.2 Release Highlights:
DocValues, streaming, /export, machine learning
DocValues can now be used with BoolFields
Date and boolean support added to /export handler
Add "scoreNodes" streaming graph expression
Support parallel ETL with the "topic" expression
Feature selection and logistic regression on text via new streaming expressions: "features" and "train"
bin/solr script
Add basic auth support to the bin/solr script
File operations to/from Zookeeper are now supported
SolrCloud
New tag 'role' in replica placement rules, e.g. rule=role:!overseer keeps new repicas off overseer nodes
CDCR: fall back to whole-index replication when tlogs are insufficient
New REPLACENODE command to decommission an existing node and replace it with another new node
New DELETENODE command to delete all replicas on a node
Security
Add Kerberos delegation token support
Support secure impersonation / proxy user for Kerberos authentication
Misc changes
A large number of regressions were fixed in the new Admin UI
New boolean comparison function queries comparing numeric arguments: gt, gte, lt, lte, eq
Upgraded Extraction module to Apache Tika 1.13.
Updated to Hadoop 2.7.2
See the CHANGES.txt file included with the release for a detailed list of changes.
The Lucene PMC is pleased to announce the release of Apache Solr 5.5.2
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
This release includes 38 bug fixes, documentation updates, etc., since the 5.5.1 release.
The release is available for immediate download at: https://www.apache.org/dyn/closer.lua/lucene/solr/5.5.2
See the CHANGES.txt file included with the release for a detailed list of changes.
The Lucene PMC is pleased to announce the release of Apache Solr 6.1.0.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 6.1.0 is available for immediate download at: https://solr.apache.org/downloads.html
Solr 6.1 Release Highlights:
Added graph traversal support, and new "sort" and "random" streaming expressions. It's also now possible to create streaming expressions with the Solr Admin UI.
Fixed the ENUM faceting method to not be unnecessarily rewritten to FCS, which was causing slowdowns.
Reduced garbage creation when creating cache entries.
New [subquery] document transformer to obtatin related documents per result doc.
EmbeddedSolrServer allocates heap much wisely even with plain document list without callbacks.
New GeoJSON response writer for encoding geographic data in query responses.
See the CHANGES.txt file included with the release for a detailed list of changes.
The Lucene PMC is pleased to announce the release of Apache Solr 6.0.1
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
This release includes 31 bug fixes, documentation updates, etc., since the 6.0.0 release.
The release is available for immediate download at: https://www.apache.org/dyn/closer.lua/lucene/solr/6.0.1
See the CHANGES.txt file included with the release for a detailed list of changes.
The Lucene PMC is pleased to announce the release of Apache Solr 5.5.1
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 5.5.1 is available for immediate download at: https://www.apache.org/dyn/closer.lua/lucene/solr/5.5.1
This release contains a number of bug fixes for Solr, as well we Lucene.
See the CHANGES.txt file included with the release for a full list of details.
The Lucene PMC is pleased to announce the release of the Solr Reference Guide for 6.0.
The Guide has been extensively updated for Solr 6.0, with new sections on Parallel SQL and Cross Data Center Replication.
The 660 page PDF can be downloaded from https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-6.0.pdf.
The Lucene PMC is pleased to announce the release of Apache Solr 6.0.0
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 6.0.0 is available for immediate download at: https://solr.apache.org/downloads.html
See the CHANGES.txt
Solr 6.0 Release Highlights:
Improved defaults for "Similarity" used in Solr, in order to provide better default experience for new users.
Improved "Similarity" defaults for users upgrading: DefaultSimilarityFactory has been removed, implicit default Similarity has been changed to SchemaSimilarityFactory, and SchemaSimilarityFactory has been modified to use BM25Similarity as the default for field types that do not explicitly declare a Similarity.
Deprecated GET methods for schema are now accessible through the bulk API. The output has less details and is not backward compatible.
Users should set useDocValuesAsStored="false" to preserve sort order on multi-valued fields that have both stored="true" and docValues="true".
Formatted date-times are more consistent with ISO-8601. BC dates are now better supported since they are now formatted with a leading '-'. AD years after 9999 have a leading '+'. Parse exceptions have been improved.
Deprecated SolrServer and subclasses have been removed, use SolrClient instead.
The deprecated
SolrClient.shutdown() has been removed, use SolrClient.close() instead.
The deprecated zkCredientialsProvider element in solrcloud section of solr.xml is now removed. Use the correct spelling (zkCredentialsProvider) instead.
Added support for executing Parallel SQL queries across SolrCloud collections. Includes StreamExpression support and a new JDBC Driver for the SQL Interface.
New features and capabilities added to the streaming API.
Added support for SELECT DISTINCT queries to the SQL interface.
New GraphQuery to enable graph traversal as a query operator.
New support for Cross Data Center Replication consisting of active/passive replication for separate SolrClouds hosted in separate data centers.
Filter support added to Real-time get.
Column alias support added to the Parallel SQL Interface.
New command added to switch between non/secure mode in zookeeper.
Now possible to use IP fragments in replica placement rules.
The Lucene PMC is pleased to announce the release of Apache Solr 5.5.0
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 5.5.0 is available for immediate download at: https://solr.apache.org/downloads.html
See the CHANGES.txt file included with the release for a full list of details.
This is expected to be the last 5.x feature release before Solr 6.0.
Release Highlights:
The schema version has been increased to 1.6, and Solr now returns non-stored doc values fields along with stored fields
The PERSIST CoreAdmin action has been removed
The mergePolicy element is deprecated in favor of a similar mergePolicyFactory element, in solrconfig.xml
CheckIndex now works on HdfsDirectory
RuleBasedAuthorizationPlugin now allows wildcards in the role, and accepts an 'all' permission
Users can now choose compression mode in SchemaCodecFactory
Solr now supports Lucene's XMLQueryParser
Collections APIs now have async support
Uninverted field faceting is re-enabled, for higher performance on rarely changing indices
Also available is the Solr Reference Guide for Solr 5.5. This PDF serves as the definitive user's manual for Solr 5.5. It can be downloaded from the Apache mirror network: https://s.apache.org/Solr-Ref-Guide-PDF
As of January 23rd 2016, Lucene/Solr source code is hosted in Apache's GIT repository. This means that the old SVN repository is now stale and should not be used. For information on working with git, please consult the Solr web site and the wiki.
The GitHub mirror remains at the same location as before, but the contents have changed. We now have one unified repo preserving the full history of both Lucene and Solr. If you had a GitHub fork, you will find that it has changed its "forked from" location, and any Pull Request will go to that other fork instead of to the Lucene developers. The only known solution is to delete your existing fork and re-fork from GitHub.
If you had active code changes and Pull Requests against our old GitHub mirror, please see the wiki for some suggestions on how to proceed.
The PMC is happy to answer any question you may have regarding this change.
The Lucene PMC is pleased to announce the release of Apache Solr 5.3.2
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 5.3.2 is available for immediate download at: https://www.apache.org/dyn/closer.lua/lucene/solr/5.3.2
This release contains a number of bug fixes for Solr, as well we Lucene.
See the CHANGES.txt file included with the release for a full list of details.
The Lucene PMC is pleased to announce the release of Apache Solr 5.4.1
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 5.4.1 is available for immediate download at: https://solr.apache.org/downloads.html
This release especially contains a fix for a faceting bug that could cause facet counts to include deleted documents and a fix for a corruption bug that was introduced in version 5.4.0. If you are on 5.4.0 and using BINARY, SORTED_NUMERIC or SORTED_SET doc values, upgrading to 5.4.1 is strongly recommended.
See the CHANGES.txt file included with the release for a full list of details.
Hot on the heels of the Solr 5.4.0 release (see below), the Lucene PMC is pleased to announce the release of the Apache Solr Reference Guide for Solr 5.4.
This 598 page PDF file can be downloaded from https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/.
The Lucene PMC is pleased to announce the release of Apache Solr 5.4.0
The release can be downloaded from https://solr.apache.org/downloads.html
The Lucene PMC is pleased to announce the release of Apache Solr 5.3.1
The release can be downloaded from https://solr.apache.org/downloads.html
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 5.3.0 is available for immediate download at: https://solr.apache.org/downloads.html
Solr 5.3 Release Highlights:
See the CHANGES.txt file included with the release for a full list of details.
Please report any feedback to the mailing lists
The Lucene PMC is pleased to announce the release of Apache Solr 5.2.1
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
This release contains various bug fixes and optimizations since the 5.2.0 release. The release is available for immediate download at: https://solr.apache.org/downloads.html
See the CHANGES.txt file included with the release for a full list of details.
Solr 5.2.1 includes 8 bug fixes and 2 other changes.
Release Highlights:
See the CHANGES.txt file included with the release for a full list of changes and further details.
Please report any feedback to the mailing lists
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 5.2.0 is available for immediate download at: https://solr.apache.org/downloads.html
See the CHANGES.txt file included with the release for a full list of details.
Solr 5.2.0 Release Highlights:
Restore API allows restoring a core from an index backup.
JSON Facet API
A new "facet.range.method" parameter to let users choose how to do range faceting between an implementation based on filters (previous algorithm, using "facet.range.method=filter") or DocValues ("facet.range.method=dv")
Rule-based Replica assignment during collection, shard, and replica creation.
Stats component:
Solr security
Solr Streaming Expressions See https://cwiki.apache.org/confluence/display/solr/Streaming+Expressions
bin/post (and SimplePostTool in -Dauto=yes mode) now sends rather than skips files without a known content type, as "application/octet-stream", provided it still is in the allowed filetypes setting.
HDFS transaction log replication factor is now configurable
A cluster-wide property can now be be added/edited/deleted using the zkcli script and doesn't require a running Solr instance.
New spatial RptWithGeometrySpatialField, based on CompositeSpatialStrategy, which blends RPT indexes for speed with serialized geometry for accuracy. Includes a Lucene segment based in-memory shape cache.
Refactored Admin UI using AngularJS. It isn't the default, but a parallel UI interface in this release.
Solr has internally been upgraded to use Jetty 9.
Solr 5.2.0 also includes many other new features as well as numerous optimizations and bugfixes of the corresponding Apache Lucene release.
Also available is the Solr Reference Guide for Solr 5.2. This 591 page PDF serves as the definitive user's manual for Solr 5.2. It can be downloaded from the Apache mirror network: https://s.apache.org/Solr-Ref-Guide-PDF
The Lucene PMC is pleased to announce the availability of the Apache Solr Reference Guide for Solr 5.1.
This 578 page PDF serves is the definitive user's manual for Solr. For this version, we've updated the Guide for several new features and changes and given the PDF a bit of a facelift for easier reading.
The Guide can be downloaded from https://www.apache.org/dyn/closer.lua/lucene/solr/ref-guide/apache-solr-ref-guide-5.1.pdf.
The Lucene PMC is pleased to announce the release of Apache Solr 5.1.0.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 5.1.0 is available for immediate download at: https://www.apache.org/dyn/closer.lua/lucene/solr/5.1.0
Solr 5.1.0 includes 39 new features, 40 bug fixes, and 36 optimizations / other changes from over 60 unique contributors.
See the CHANGES.txt file included with the release for a full list of details.
The Lucene PMC is pleased to announce the release of Apache Solr 4.10.4
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 4.10.4 is available for immediate download at: https://www.apache.org/dyn/closer.lua/lucene/solr/4.10.4
Solr 4.10.4 includes 24 bug fixes as well as Lucene 4.10.4 and its 13 bug fixes.
See the CHANGES.txt file included with the release for a full list of details.
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 5.0 is available for immediate download at: https://solr.apache.org/downloads.html
See the CHANGES.txt file included with the release for a full list of details.
Solr 5.0 Release Highlights:
Usability improvements that include improved bin scripts and new and restructured examples.
Scripts to support installing and running Solr as a service on Linux.
Distributed IDF is now supported and can be enabled via the config. Currently, there are four supported implementations for the same:
Solr will no longer ship a war file and instead be a downloadable application.
SolrJ now has first class support for Collections API.
Implicit registration of replication,get and admin handlers.
Config API that supports paramsets for easily configuring solr parameters and configuring fields. This API also supports managing of pre-existing request handlers and editing common solrconfig.xml via overlay.
API for managing blobs allows uploading request handler jars and registering them via config API.
BALANCESHARDUNIQUE Collection API that allows for even distribution of custom replica properties.
There's now an option to not shuffle the nodeSet provided during collection creation.
Option to configure bandwidth usage by Replication handler to prevent it from using up all the bandwidth.
Splitting of clusterstate to per-collection enables scalability improvement in SolrCloud. This is also the default format for new Collections that would be created going forward.
timeAllowed is now used to prematurely terminate requests during query expansion and SolrClient request retry.
pivot.facet results can now include nested stats.field results constrained by those pivots.
stats.field can be used to generate stats over the results of arbitrary numeric functions. It also allows for requesting for statistics for pivot facets using tags.
A new DateRangeField has been added for indexing date ranges, especially multi-valued ones.
Spatial fields that used to require units=degrees now take distanceUnits=degrees/kilometers miles instead.
MoreLikeThis query parser allows requesting for documents similar to an existing document and also works in SolrCloud mode.
Logging improvements:
Solr 5.0 also includes many other new features as well as numerous optimizations and bugfixes of the corresponding Apache Lucene release.
Also available is the Solr Reference Guide for Solr 5.0. This 535 page PDF serves as the definitive user's manual for Solr 5.0. It can be downloaded from the Apache mirror network: https://s.apache.org/Solr-Ref-Guide-PDF
The Lucene PMC is pleased to announce the release of Apache Solr 4.10.3
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 4.10.3 is available for immediate download at: https://solr.apache.org/downloads.html
Solr 4.10.3 includes 21 bug fixes, 5 other changes, as well as Lucene 4.10.3 and its 12 bug fixes.
This release fixes the following security vulnerability that has affected Solr since the Solr 4.0 Alpha release.
CVE-2014-3628: Stored XSS vulnerability in Solr Admin UI.
Information disclosure: The Solr Admin UI Plugin / Stats page does not escape data values which allows an attacker to execute javascript by executing a query that will be stored and displayed via the 'fieldvaluecache' object.
See the CHANGES.txt file included with the release for a full list of details, and Happy Holidays!
The Lucene PMC is pleased to announce the release of Apache Solr 4.10.2
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 4.10.2 is available for immediate download at: https://solr.apache.org/downloads.html
Solr 4.10.2 includes 10 bug fixes, as well as Lucene 4.10.2 and its 2 bug fixes.
See the CHANGES.txt file included with the release for a full list of details, and Happy Halloween!
The Lucene PMC is pleased to announce the release of Apache Solr 4.10.1
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 4.10.1 is available for immediate download at: https://solr.apache.org/downloads.html
Solr 4.10.1 includes 6 bug fixes, as well as Lucene 4.10.1 and its 7 bug fixes.
See the CHANGES.txt file included with the release for a full list of details.
The Lucene PMC is pleased to announce the release of Apache Solr 4.9.1
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 4.9.1 is available for immediate download at: https://solr.apache.org/downloads.html
Solr 4.9.1 includes 2 bug fixes, as well as Lucene 4.9.1 and its 7 bug fixes.
See the CHANGES.txt file included with the release for a full list of details.
The Lucene PMC is pleased to announce that there is a new version of the Solr Reference Guide for Solr 4.10.
The 511 page PDF serves as the definitive user's manual for Solr 4.10. It can be downloaded from the Apache mirror network: https://www.apache.org/dyn/closer.lua/lucene/solr/ref-guide/.
The Lucene PMC is pleased to announce the release of Apache Solr 4.10.0
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 4.10.0 is available for immediate download at: https://solr.apache.org/downloads.html
See the CHANGES.txt file included with the release for a full list of details.
Solr 4.10.0 Release Highlights:
This release upgrades Solr Cell's (contrib/extraction) dependency on Apache POI to mitigate 2 security vulnerabilities.
Scripts for starting, stopping, and running Solr examples
Distributed query support for facet.pivot
Interval Faceting for Doc Values fields
New "terms" QParser for efficiently filtering documents by a list of values
Apache Solr versions 4.8.0, 4.8.1, 4.9.0 bundle Apache POI 3.10-beta2 with its binary release tarball. This version (and all previous ones) of Apache POI are vulnerable to the following issues:
Information disclosure: Apache POI uses Java's XML components to parse OpenXML files produced by Microsoft Office products (DOCX, XLSX, PPTX,...). Applications that accept such files from end-users are vulnerable to XML External Entity (XXE) attacks, which allows remote attackers to bypass security restrictions and read arbitrary files via a crafted OpenXML document that provides an XML external entity declaration in conjunction with an entity reference.
Denial of service: Apache POI uses Java's XML components and Apache Xmlbeans to parse OpenXML files produced by Microsoft Office products (DOCX, XLSX, PPTX,...). Applications that accept such files from end-users are vulnerable to XML Entity Expansion (XEE) attacks ("XML bombs"), which allows remote hackers to consume large amounts of CPU resources.
The Apache POI PMC released a bugfix version (3.10.1) today.
Solr users are affected by these issues, if they enable the "Apache Solr Content Extraction Library (Solr Cell)" contrib module from the folder "contrib/extraction" of the release tarball.
Users of Apache Solr are strongly advised to keep the module disabled if they don't use it. Alternatively, users of Apache Solr 4.8.0, 4.8.1, or 4.9.0 can update the affected libraries by replacing the vulnerable JAR files in the distribution folder. Users of previous versions have to update their Solr release first, patching older versions is impossible.
Download the Apache POI 3.10.1 binary release.
Unzip the archive.
Delete the following files in your "solr-4.X.X/contrib/extraction/lib" folder:
Copy the following files from the base folder of the Apache POI distribution to the "solr-4.X.X/contrib/extraction/lib" folder:
Copy "xmlbeans-2.6.0.jar" from POI's "ooxml-lib/" folder to the "solr-4.X.X/contrib/extraction/lib" folder.
Verify that the "solr-4.X.X/contrib/extraction/lib" no longer contains any files with version number "3.10-beta2".
Verify that the folder contains one xmlbeans JAR file with version 2.6.0.
If you just want to disable extraction of Microsoft Office documents, delete the files above and don't replace them. "Solr Cell" will automatically detect this and disable Microsoft Office document extraction.
Coming versions of Apache Solr will have the updated libraries bundled.
Apache Solr versions 4.8.0, 4.8.1, 4.9.0 bundle Apache POI 3.10-beta2 with its binary release tarball. This version (and all previous ones) of Apache POI are vulnerable to the following issues:
Information disclosure: Apache POI uses Java's XML components to parse OpenXML files produced by Microsoft Office products (DOCX, XLSX, PPTX,...). Applications that accept such files from end-users are vulnerable to XML External Entity (XXE) attacks, which allows remote attackers to bypass security restrictions and read arbitrary files via a crafted OpenXML document that provides an XML external entity declaration in conjunction with an entity reference.
Denial of service: Apache POI uses Java's XML components and Apache Xmlbeans to parse OpenXML files produced by Microsoft Office products (DOCX, XLSX, PPTX,...). Applications that accept such files from end-users are vulnerable to XML Entity Expansion (XEE) attacks ("XML bombs"), which allows remote hackers to consume large amounts of CPU resources.
The Apache POI PMC released a bugfix version (3.10.1) today.
Solr users are affected by these issues, if they enable the "Apache Solr Content Extraction Library (Solr Cell)" contrib module from the folder "contrib/extraction" of the release tarball.
Users of Apache Solr are strongly advised to keep the module disabled if they don't use it. Alternatively, users of Apache Solr 4.8.0, 4.8.1, or 4.9.0 can update the affected libraries by replacing the vulnerable JAR files in the distribution folder. Users of previous versions have to update their Solr release first, patching older versions is impossible.
Download the Apache POI 3.10.1 binary release.
Unzip the archive.
Delete the following files in your "solr-4.X.X/contrib/extraction/lib" folder:
Copy the following files from the base folder of the Apache POI distribution to the "solr-4.X.X/contrib/extraction/lib" folder:
Copy "xmlbeans-2.6.0.jar" from POI's "ooxml-lib/" folder to the "solr-4.X.X/contrib/extraction/lib" folder.
Verify that the "solr-4.X.X/contrib/extraction/lib" no longer contains any files with version number "3.10-beta2".
Verify that the folder contains one xmlbeans JAR file with version 2.6.0.
If you just want to disable extraction of Microsoft Office documents, delete the files above and don't replace them. "Solr Cell" will automatically detect this and disable Microsoft Office document extraction.
Coming versions of Apache Solr will have the updated libraries bundled.
The Lucene PMC is pleased to announce that there is a new version of the Solr Reference Guide for Solr 4.9.
The 408 page PDF serves as the definitive user's manual for Solr 4.9. It can be downloaded from the Apache mirror network: https://www.apache.org/dyn/closer.lua/lucene/solr/ref-guide/.
The Lucene PMC is pleased to announce the release of Apache Solr 4.9.0
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 4.9.0 is available for immediate download at: https://solr.apache.org/downloads.html
See the CHANGES.txt file included with the release for a full list of details.
Solr 4.9.0 Release Highlights:
Numerous optimizations for doc values search-time performance
Allow a client application to request the minium achieved replication factor for an update request (single or batch) by sending an optional parameter "min_rf".
Query re-ranking support with the new ReRankingQParserPlugin.
A new [child ...] DocTransformer for optionally including Block-Join decendent documents inline in the results of a search.
A new (default) Lucene49NormsFormat to better compress certain cases such as very short fields.
The Lucene PMC is pleased to announce the release of Apache Solr 4.8.1
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 4.8.1 is available for immediate download at: https://solr.apache.org/downloads.html
Solr 4.8.1 includes 10 bug fixes, as well as Lucene 4.8.1 and its bug fixes.
See the CHANGES.txt file included with the release for a full list of details.
The Lucene PMC is pleased to announce that there is a new version of the Solr Reference Guide available for Solr 4.8.
The 396 page PDF serves as the definitive user's manual for Solr 4.8. It can be downloaded from the Apache mirror network: https://www.apache.org/dyn/closer.lua/lucene/solr/ref-guide/
The Lucene PMC is pleased to announce the release of Apache Solr 4.8.0
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 4.8.0 is available for immediate download at: https://solr.apache.org/downloads.html
See the CHANGES.txt file included with the release for a full list of details.
Apache Solr now requires Java 7 or greater (recommended is Oracle Java 7 or OpenJDK 7, minimum update 55; earlier versions have known JVM bugs affecting Solr).
Apache Solr is fully compatible with Java 8.
<fields>
and <types>
tags have been deprecated from schema.xml.
There is no longer any reason to keep them in the schema file,
they may be safely removed. This allows intermixing of <fieldType>
,
<field>
and <copyField>
definitions if desired.
The new {!complexphrase} query parser supports wildcards, ORs etc. inside Phrase Queries.
New Collections API CLUSTERSTATUS action reports the status of collections, shards, and replicas, and also lists collection aliases and cluster properties.
Added managed synonym and stopword filter factories, which enable synonym and stopword lists to be dynamically managed via REST API.
JSON updates now support nested child documents, enabling {!child} and {!parent} block join queries.
Added ExpandComponent to expand results collapsed by the CollapsingQParserPlugin, as well as the parent/child relationship of nested child documents.
Long-running Collections API tasks can now be executed asynchronously; the new REQUESTSTATUS action provides status.
Added a hl.qparser parameter to allow you to define a query parser for hl.q highlight queries.
In Solr single-node mode, cores can now be created using named configsets.
New DocExpirationUpdateProcessorFactory supports computing an expiration date for documents from the "TTL" expression, as well as automatically deleting expired documents on a periodic basis.
Solr 4.8.0 also includes many other new features as well as numerous optimizations and bugfixes of the corresponding Apache Lucene release.
The Lucene PMC is pleased to announce the release of Apache Solr 4.7.2
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 4.7.2 is available for immediate download at: https://solr.apache.org/downloads.html
Solr 4.7.2 includes 2 bug fixes, as well as Lucene 4.7.2 and its bug fixes.
See the CHANGES.txt file included with the release for a full list of details.
The Lucene PMC is pleased to announce the release of Apache Solr 4.7.1
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 4.7.1 is available for immediate download at: https://solr.apache.org/downloads.html
Solr 4.7.1 includes 28 bug fixes and one new configuration setting, as well as Lucene 4.7.1 and its bug fixes.
See the CHANGES.txt file included with the release for a full list of details.
The Apache Solr committers decided with a large majority on the vote to require Java 7 for the next minor release of Apache Solr (version 4.8)!
The next release will also contain some improvements for Java 7:
Better file handling (especially on Windows) in the directory implementations. Files can now be deleted on windows, although the index is still open - like it was always possible on Unix environments (delete on last close semantics).
Speed improvements in sorting comparators: Sorting now uses Java 7's own comparators for integer and long sorts, which are highly optimized by the Hotspot VM.
If you want to stay up-to-date with Lucene and Solr, you should upgrade your infrastructure to Java 7. Please be aware that you must use at least use Java 7u1. The recommended version at the moment is Java 7u25. Later versions like 7u40, 7u45,... have a bug causing index corrumption. Ideally use the Java 7u60 prerelease, which has fixed this bug. Once 7u60 is out, this will be the recommended version. In addition, there is no more Oracle/BEA JRockit available for Java 7, use the official Oracle Java 7. JRockit was never working correctly with Lucene/Solr (causing index corrumption), so this should not be an issue. Please also review our list of JVM bugs: http://wiki.apache.org/lucene-java/JavaBugs
EDIT (as of 15 April 2014): The recently released Java 7u55 fixes the above bug causing index corrumption. This version is now the recommended version for running Apache Solr.
The Lucene PMC is pleased to announce that there is a new version of the Solr Reference Guide available for Solr 4.7.
The 395 page PDF serves as the definitive user's manual for Solr 4.7. It can be downloaded from the Apache mirror network: https://www.apache.org/dyn/closer.lua/lucene/solr/ref-guide/
The Lucene PMC is pleased to announce the release of Apache Solr 4.7
Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.
Solr 4.7 is available for immediate download at: https://solr.apache.org/mirrors-solr-latest-redir.html
See the CHANGES.txt file included with the release for a full list of details.
A new migrate collection API to split all documents with a route key into another collection.
Added support for tri-level compositeId routing.
Admin UI - Added a new Files conf directory browser/file viewer.
Add a QParserPlugin for Lucene's SimpleQueryParser.
Suggest improvements: a new SuggestComponent that fully utilizes the Lucene suggester module; queries can now use multiple suggesters; Lucene's FreeTextSuggester and BlendedInfixSuggester are now supported.
New cursorMark request param for efficient deep paging of sorted result sets. See http://s.apache.org/cursorpagination
Add a Solr contrib that allows for building Solr indexes via Hadoop's MapReduce.
Upgrade to Spatial4j 0.4. Various new options are now exposed automatically for an RPT field type. See Spatial4j CHANGES & javadocs. https://github.com/spatial4j/spatial4j/blob/master/CHANGES.md
SSL support for SolrCloud.
Solr 4.7 also includes many other new features as well as numerous optimizations and bugfixes.