The Solr configuration in all solrconfig.xml files has been changed for security reasons, and now disables the /sql request handler. This handler was never used but it was enabled implicitly in SolrCloud installations. You can ignore this release note, if you don't use SolrCloud.

The Solr /sql handler is now disabled with the following line in all solrconfig.xml files:

<requestHandler name="/sql" class="solr.NotFoundRequestHandler"/>

Please make sure to add this line and upload the changed configuration to Zookeeper, if you are using SolrCloud. This avoids an XXE security vulnerability (CVE-2022-39135) that could be exploited if an attacker can send requests directly to Solr. Note, that Solr should never be directly accessible from the public internet.

(CMS-22172)