lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shawn Heisey (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SOLR-5998) Is Apache Solr 1.0 vulnerable to Heartbleed
Date Mon, 21 Apr 2014 04:55:15 GMT

    [ https://issues.apache.org/jira/browse/SOLR-5998?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13975387#comment-13975387
] 

Shawn Heisey commented on SOLR-5998:
------------------------------------

Solr itself contains no SSL code.  It runs in a servlet container (a java webserver).  A stripped-down
install of Jetty is included in the Solr example, but that is not set up with SSL by default.

Even if the user does enable SSL on the included example, Jetty will be using the Java SSL
implementation, which does not use OpenSSL at all.  It is not vulnerable to heartbleed.  If
the user is not using Jetty, they would need to check the particular servlet container they
are using for vulnerabilities.  I am reasonably sure that none of the available servlet containers
will be using OpenSSL.

Sometimes proxy software or hardware is used in front of Solr and SSL is configured there.
 That software and the operating system that it runs on may be vulnerable to heartbleed.

One final piece of information: We strongly recommend installing Solr someplace where it cannot
be reached directly from the open Internet.  SSL is not enough to prevent security issues.


> Is Apache Solr 1.0 vulnerable to Heartbleed
> -------------------------------------------
>
>                 Key: SOLR-5998
>                 URL: https://issues.apache.org/jira/browse/SOLR-5998
>             Project: Solr
>          Issue Type: Bug
>            Reporter: Lynn Clara
>
> What would to check whether if there is any documented info on whether Apache Solr 1.0
is vulnerable to Heartbleed? If so, any available fixes? thks



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message