Release Notes / Version 11.2301
Table Of Contents
The Solr configuration in all
solrconfig.xml
files has been changed for security reasons, and now disables the
/sql
request handler. This handler was never used but it was enabled implicitly in SolrCloud installations. You can ignore this release note, if you don't use SolrCloud.
The Solr
/sql
handler is now disabled with the following line in all
solrconfig.xml
files:
<requestHandler name="/sql" class="solr.NotFoundRequestHandler"/>
Please make sure to add this line and upload the changed configuration to Zookeeper, if you are using SolrCloud. This avoids an XXE security vulnerability (CVE-2022-39135) that could be exploited if an attacker can send requests directly to Solr. Note, that Solr should never be directly accessible from the public internet.
(CMS-22172)