Solr™ News¶

You may also read these news as an ATOM feed.

1 September 2020, Apache Solr™ 8.6.2 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.6.2.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.6.2 is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Solr 8.6.2 Bug Fixes:

SOLR-14751: Zookeeper Admin screen not working for old ZK versions.

Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:

https://lucene.apache.org/solr/guide/8_6/solr-upgrade-notes.html

Please read CHANGES.txt for a full list of bugfixes:

https://lucene.apache.org/solr/8_6_2/changes/Changes.html

Solr 8.6.2 also includes bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_6_2/changes/Changes.html

14 August 2020, CVE-2020-13941: Apache Solr information disclosure vulnerability ¶

Severity: Medium

Versions Affected:

Before Solr 8.6. Some risks are specific to Windows.

Description: Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), released in Solr version 8.6.0. The Replication handler (https://lucene.apache.org/solr/guide/8_6/index-replication.html#http-api-commands-for-the-replicationhandler) allows commands backup, restore and deleteBackup. Each of these take a location parameter, which was not validated, i.e you could read/write to any location the solr user can access.

On a windows system SMB paths such as \10.0.0.99\share\folder may also be used, leading to:

The possibility of restoring another SolrCore from a server on the network (or mounted remote file system) may lead to: Exposing search index data that the attacker should otherwise not have access to Replacing the index data entirely by loading it from a remote file system that the attacker controls

Launching SMB attacks which may result in: The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution



Mitigation: Upgrade to Solr 8.6, and/or ensure only trusted clients can make requests of Solr's replication handler.

Credit: Matei "Mal" Badanoiu

13 August 2020, Apache Solr™ 8.6.1 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.6.1.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.6.1 is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Solr 8.6.1 Release Highlights:

SOLR-14665: Revert SOLR-12845 adding of default autoscaling cluster policy, due to performance issues

SOLR-14671: Parsing dynamic ZK config sometimes cause NumberFormatException

Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:

https://lucene.apache.org/solr/guide/8_6/solr-upgrade-notes.html

Please read CHANGES.txt for a full list of bugfixes:

https://lucene.apache.org/solr/8_6_1/changes/Changes.html

Solr 8.6.1 also includes bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_6_1/changes/Changes.html

15 July 2020, Apache Solr™ 8.6.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.6.0.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.6.0 is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Solr 8.6.0 Release Highlights:

Cross-Collection Join Queries: Join queries can now work cross-collection, even when shared or when spanning nodes.

Search: Performance improvement for some types of queries when using when exact hit count isn't needed by using BlockMax WAND algorithm.

Streaming Expression: Percentiles and standard deviation aggregations added to stats, facet and time series. Streaming expressions added to /export handler. Drill Streaming Expression for efficient and accurate high cardinality aggregation.

Package manager: Support for cluster (CoreContainer) level plugins.

Health Check: HealthCheckHandler can now require that all cores are healthy before returning OK.

Zookeeper read API: A read API at /api/cluster/zk/* to fetch raw ZK data and view contents of a ZK directory.

Admin UI: New panel with security info in admin UI's dashboard.

Query DSL: Support for {param:ref} and {bool: {excludeTags:""}}

Ref Guide: Major redesign of Solr's documentation.

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/8_6_0/changes/Changes.html

Solr 8.6.0 also includes features, optimizations and bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_6_0/changes/Changes.html

26 May 2020, Apache Solr™ 8.5.2 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.5.2.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.5.2 is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Solr 8.5.2 Bug Fixes:

SOLR-14411: Fix regression from SOLR-14359 (Admin UI 'Select an Option')

SOLR-14471: base replica selection strategy not applied to "last place" shards.preference matches

Please read CHANGES.txt for a full list of changes:

https://lucene.apache.org/solr/8_5_2/changes/Changes.html

Solr 8.5.2 also includes 1 bugfix in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_5_2/changes/Changes.html

28 April 2020, Apache Solr™ 7.7.3 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 7.7.3.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.7.3 is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Solr 7.7.3 Release Highlights:

SOLR-13779: Use the safe fork of simple-xml for clustering contrib

SOLR-13718: SPLITSHARD (async) with failures in underlying sub-operations can result in data loss

SOLR-12291: prematurely reporting not yet finished async Collections API call as completed when collection's replicas are collocated at least at one node

SOLR-13828: Improve ExecutePlanAction error handling

SOLR-13472: Forwarded requests should skip authorization on receiving nodes

SOLR-13793: HttpSolrCall now maintains internal request count (_forwardedCount) for remote queries and limits them to the number of replicas. This avoids making too many cascading calls to remote servers, which, if not restricted, can bring down nodes containing the said collection

SOLR-13971: Velocity response writer's resource loading now possible only through startup parameters. Also, removed velocity response writer from _default configset

SOLR-14025: VelocityResponseWriter has been hardened - only trusted configsets can render configset provided templates and rendering templates from request parameters has been removed.

SOLR-13158: DataImportHandler: Added enable.dih.dataConfigParam system property to toggle whether the dataConfig param is permitted

SOLR-14259: Fix javabin performance regression fixes

Please read CHANGES.txt for a full list of and changes:

https://lucene.apache.org/solr/7_7_3/changes/Changes.html

Solr 7.7.3 also includes bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/7_7_3/changes/Changes.html

16 April 2020, Apache Solr™ 8.5.1 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.5.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release contains no change over 8.5.0 for Solr. The release is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Solr 8.5.1 also includes one bugfix in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_5_1/changes/Changes.html

24 March 2020, Apache Solr™ 8.5.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.5.0.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.5.0 is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Solr 8.5.0 Release Highlights:

A new queries property of JSON Request API let to declare queries in Query DSL format and refer to them by their names.

A new command line tool bin/postlogs allows you to index Solr logs into a Solr collection. This is helpful for log analysis and troubleshooting. Documentation is not yet integrated into the Solr Reference Guide, but is available in a branch via GitHub: https://github.com/apache/lucene-solr/blob/visual-guide/solr/solr-ref-guide/src/logs.adoc.

A new stream decorator delete() is available to help solve some issues with traditional delete-by-query, which can be expensive in large indexes.

Solr now has the ability to run with a Java Security Manager enabled.

Please read CHANGES.txt for a full list of changes:

https://lucene.apache.org/solr/8_5_0/changes/Changes.html

Solr 8.5.0 also includes improvements and bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_5_0/changes/Changes.html

13 January 2020, Apache Solr™ 8.4.1 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.4.1.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.4.1 is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Solr 8.4.1 Release Highlights:

Fix for overseer serialization to support rolling upgrade (broken since 8.4)

Fix for SSL support with SOLR_SSL_NEED_CLIENT_AUTH (broken since 8.2)

Package manager to store public keys in a special "trusted" location instead of in ZooKeeper

Please read CHANGES.txt for a full list of changes:

https://lucene.apache.org/solr/8_4_1/changes/Changes.html

Solr 8.4.1 also includes and bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_4_1/changes/Changes.html

30 December 2019, CVE-2019-17558: Apache Solr RCE through VelocityResponseWriter ¶

Severity: High

Vendor:

The Apache Software Foundation

Versions Affected: 5.0.0 to 8.3.1

Description:

The affected versions are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset velocity/ directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting params.resource.loader.enabled by defining a response writer with that setting set to true . Defining a response writer requires configuration API access.

Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is trusted (has been uploaded by an authenticated user).

Mitigation:

Ensure your network settings are configured so that only trusted traffic communicates with Solr, especially to the configuration APIs.

Credit:

Github user s00py

References:

29 December 2019, Apache Solr™ 8.4.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.4.0.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.4.0 is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Solr 8.4.0 Release Highlights:

A new package management system was introduced in order to ease deploying plugins.

Better security with the out-of-the-box configuration.

A summary of important changes is published in the Solr Reference Guide at https://lucene.apache.org/solr/guide/8_4/solr-upgrade-notes.html.

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/8_4_0/changes/Changes.html

Solr 8.4.0 also includes features, optimizations and bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_4_0/changes/Changes.html

3 December 2019, Apache Solr™ 8.3.1 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.3.1.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.3.1 is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Solr 8.3.1 Release Highlights:

JavaBinCodec has concurrent modification of CharArr resulting in corrupt internode updates

findRequestType in AuditEvent is more robust

CoreContainer.auditloggerPlugin is volatile now

Velocity response writer's resource loading now possible only through startup parameters

Please read CHANGES.txt for a full list of changes:

https://lucene.apache.org/solr/8_3_1/changes/Changes.html

Solr 8.3.1 also includes and bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_3_1/changes/Changes.html

18 November 2019, CVE-2019-12409: Apache Solr RCE vulnerability due to bad config default ¶

Severity: High

Vendor:

The Apache Software Foundation

Versions Affected:

Solr 8.1.1 and 8.2.0 for Linux

Description:

The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr.

Windows users are not affected.

If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.

The vulnerability is already public [1] and mitigation steps were announced on project mailing lists and news page [3] on August 14th, without mentioning RCE at that time.

Mitigation:

Make sure your effective solr.in.sh file has ENABLE_REMOTE_JMX_OPTS set to 'false' on every Solr node and then restart Solr. Note that the effective solr.in.sh file may reside in /etc/defaults/ or another location depending on the install. You can then validate that the 'com.sun.management.jmxremote*' family of properties are not listed in the "Java Properties" section of the Solr Admin UI, or configured in a secure way.

There is no need to upgrade or update any code.

Remember to follow the Solr Documentation's advice to never expose Solr nodes directly in a hostile network environment.

Credit:

Matei "Mal" Badanoiu

Solr JIRA user 'jnyryan' (John)

References:

[1] https://issues.apache.org/jira/browse/SOLR-13647

[3] https://lucene.apache.org/solr/news.html

2 November 2019, Apache Solr™ 8.3.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.3.0.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.3.0 is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Solr 8.3.0 Release Highlights:

Two dimensional routed aliases are now available for organizing collections based on the data values of two fields

SPLITSHARD implements a new splitByPrefix option that takes into account the actual document distribution when using compositeIds

QueryElevationComponent can have query rules configured with match="subset" wherein the words need only match a subset of the query's words and in any order

Command line option to export documents to a file

Support deterministic replica routing preferences for better cache usage

Ability to query aliases in Solr Admin UI

JWTAuthPlugin supports multiple JWKS endpoints and multiple IdP issuers

JSON faceting now supports arbitrary ranges for range facets

Support integral plots, cosine distance and string truncation with math expressions (Joel Bernstein)

New cat() stream source to create tuples from lines in local files

Add upper, lower, trim and split Stream Evaluators

Add CsvStream, TsvStream Streaming Expressions and supporting Stream Evaluators

Add CaffeineCache, an efficient implementation of SolrCache

Live SPLITSHARD can lose updates due to cluster state change between checking if the current shard is active and later checking if there are any sub-shard leaders to forward the update to

Fix for SPLITSHARD (async) with failures in underlying sub-operations can result in data loss

Allow dynamic resizing of SolrCache-s

Allow optional redaction of data saved by 'bin/solr autoscaling -save'

Optimized large managed schema modifications (internal O(n^2) problem)

Max idle time support for SolrCache implementations

Add Prometheus Exporter GC and Heap options

SSL: Adding Enabling/Disabling client's hostname verification config

Introducing SolrClient.ping(collection) in SolrJ

Fix for CDCR bootstrap not replicating index to the replicas of target cluster

Fixed a race condition when initializing metrics for new security plugins on security.json change

Fixed JWTAuthPlugin to update metrics prior to continuing w/other filters or returning error

Fixed distributed grouping when multiple 'fl' params are specified

JMX MBeans are not exposed because of race condition between creating platform mbean server and registering mbeans

Fix for class-cast issues during atomic-update 'removeregex' operations

Fix for multi-node race condition to create/remove nodeLost markers

Fix for too many cascading calls to remote servers, which can bring down nodes

Fix for MOVEREPLICA ignoring replica type and always adding 'nrt' replicas

Fix: DistributedZkUpdateProcessor should propagate URP.finish() lifecycle (regression since 8.1)

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/8_3_0/changes/Changes.html

Solr 8.3.0 also includes features, optimizations and bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_3_0/changes/Changes.html

9 September 2019, CVE-2019-12401: XML Bomb in Apache Solr versions prior to 5.0 ¶

Severity: Medium

Vendor:

The Apache Software Foundation

Versions Affected:

1.3.0 to 1.4.1

3.1.0 to 3.6.2

4.0.0 to 4.10.4

Description:

Solr versions prior to 5.0.0 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it’s update handler. By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs

Mitigation:

Upgrade to Apache Solr 5.0 or later.

Ensure your network settings are configured so that only trusted traffic is allowed to post documents to the running Solr instances.

Credit:

Matei "Mal" Badanoiu

References:

14 August 2019, [ANNOUNCE] 8.1.1 and 8.2.0 users check ENABLE_REMOTE_JMX_OPTS setting ¶

Severity : Low Versions Affected : 8.1 . 1 and 8.2 . 0 for Linux Description : It has been discovered [ 1 ] that the 8.1 . 1 and 8.2 . 0 releases contain a bad default setting for the ENABLE_REMOTE_JMX_OPTS setting in the default solr . in . sh file shipping with Solr . Windows users and users with custom solr . in . sh files are not affected . If you are using the default solr . in . sh file from the affected releases , then JMX monitoring will be enabled and exposed on JMX_PORT ( default = 18983 ), without any authentication . So if your firewalls allows inbound traffic on JMX_PORT , then anyone with network access to your Solr nodes will be able to access monitoring data exposed over JMX . Mitigation : Edit solr . in . sh , set ENABLE_REMOTE_JMX_OPTS = false and restart Solr . Alternatively wait for the future 8.3 . 0 release and upgrade . References : [ 1 ] https :// issues . apache . org /jira/browse/ SOLR - 13647

31 July 2019, CVE-2019-0193: Apache Solr, Remote Code Execution via DataImportHandler ¶

Severity: High

Vendor:

The Apache Software Foundation

Versions Affected:

5.0.0 to 5.5.5

6.0.0 to 6.6.5

Description:

The DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property enable.dih.dataConfigParam to true.

Mitigation:

Upgrade to 8.2.0 or later, which is secure by default.

or, edit solrconfig.xml to configure all DataImportHandler usages with an "invariants" section listing the "dataConfig" parameter set to am empty string.

Ensure your network settings are configured so that only trusted traffic communicates with Solr, especially to the DIH request handler. This is a best practice to all of Solr.

Credit:

Michael Stepankin (JPMorgan Chase)

References:

26 July 2019, Apache Solr™ 8.2.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.2.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.2.0 is available for immediate download at: https://lucene.apache.org/solr/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/8_2_0/changes/Changes.html

Solr 8.2.0 Release Highlights

New features

Add an update param failOnVersionConflicts=false to updates not fail when there is a version conflict

Add facet2D Streaming Expression.

Preferred replicas on nodes with same system properties as the query master

OpenTracing support for Solr

Raw index data analysis tool (extension of COLSTATUS collection command).

Add recNum Stream Evaluator.

Allow zplot to visualize 2D clusters and convex hulls.

Add a field type for Estonian language to default managed_schema, document about Estonian language analysis in Solr Ref Guide

Bug Fixes

Intermittent 401's for internode requests with basicauth enabled.

In 8.1, Atomic Updates were broken (NPE) when the schema declared the new nest_path field even if you weren't using nested docs. In-place updates were not affected (worked)

Fix atomic update encoding issue for UUID, enum, bool, and binary fields.

Impossible to delete a collection with the same name as an existing alias. This fixes also a bug inREINDEXCOLLECTION when used with removeSource=true which could lead to a data loss.

Solr 8.2.0 also includes many other new features as well as numerous optimizations and bugfixes of the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_2_0/changes/Changes.html

4 June 2019, Apache Solr™ 7.7.2 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 7.7.2.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.7.2 is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Solr 7.7.2 Release Highlights:

High CPU usage in Solr due to Java 8 bug (SOLR–13349)

Multiplicative query boost in certain conditions not applied (SOLR–13126)

InPlace update sometimes fail if schema has a required field (SOLR–11876)

Admin UI inaccessible with RuleBasedAuthorizationPlugin (SOLR–13344)

MetricsHistoryHandler does not work with BasicAuth (SOLR–12860)

ByteArrayUtf8CharSequence cannot be cast to java.lang.String (SOLR–13285)

Please read CHANGES.txt for a full list of and changes:

https://lucene.apache.org/solr/7_7_2/changes/Changes.html

Solr 7.7.2 also includes bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/7_7_2/changes/Changes.html

28 May 2019, Apache Solr™ 8.1.1 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.1.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.1.1 is available for immediate download at: https://lucene.apache.org/solr/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/8_1_1/changes/Changes.html

Solr 8.1.1 Release Highlights

Fix for a Null Pointer Exception when querying collection through collection alias.

16 May 2019, Apache Solr™ 8.1.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.1.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.1.0 is available for immediate download at: https://lucene.apache.org/solr/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/8_1_0/changes/Changes.html

Solr 8.1.0 Release Highlights

Partial/Atomic Updates for nested documents. This enables atomic updates for nested documents, without the need to supply the whole nested hierarchy (which would be overwritten if absent).

Category Routed Aliases feature introduced for data driven assignment of documents to collections based on values of a field

JWT Token authentication plugin with OpenID Connect implicit flow login through Admin UI

REINDEXCOLLECTION command for re-indexing of existing collections

Collection RENAME command and support using aliases in most collection admin commands

Read-only mode for SolrCloud collections

Solr 8.1.0 also includes many other new features as well as numerous optimizations and bugfixes of the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_1_0/changes/Changes.html

5 April 2019, Apache Solr™ 6.6.6 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.6.6

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.6.6 is available for immediate download at:

http://archive.apache.org/dist/lucene/solr/6.6.6

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/6_6_6/changes/Changes.html

Solr 6.6.6 Release Highlights:

Fix memory leak (upon collection reload or ZooKeeper session expiry) in ZkIndexSchemaReader.

Fix for Rule-based Authorization skipping authorization if querying node host the collection

(CVE-2017-3164) Make it possible to configure a host whitelist for distributed search

14 March 2019, Apache Solr™ 8.0.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.0.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.0.0 is available for immediate download at: https://lucene.apache.org/solr/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/8_0_0/changes/Changes.html

Solr 8.0.0 Release Highlights

Solr now uses HTTP/2 for inter-node communication to attain greater efficiency. Details: Solr is switching from Apache HttpClient to Jetty Client for adding HTTP/2 support. Most frequent inter-communication between nodes like indexing and query are now sent in HTTP/2. HTTP/1.1 practically allows only one outstanding request per TCP connection this means that for sending multiple requests at the same time multiple TCP connections must be established. This leads to waste of resources on both-sides and long GC-pause. Solr 8 with HTTP/2 support overcomes that problem by allowing multiple requests can be sent in parallel using a same TCP connection.

Nested documents (AKA child documents or block join) is significantly improved. Most improvements come from storing and leveraging more information about the relationships in the index, like the named relationship between a child and its parent. This information is used by the [child] doc transformer to return children in nested form instead of flat. There is plenty more that can be done with this in the future. Another key improvement is that nested documents can be deleted or replaced in a natural way without orphaning child documents; although care is still needed with delete-by-query.

Being a major release, Solr 8 removes many deprecated APIs, changes various parameter defaults and behavior. Some changes may require a re-index of your content. You are thus encouraged to thoroughly read the "Upgrade Notes" at:

https://lucene.apache.org/solr/8_0_0/changes/Changes.html

Solr 8.0 also includes many other new features as well as numerous optimizations and bugfixes of the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_0_0/changes/Changes.html

11 March 2019, Apache Solr Reference Guide 7.7 available ¶

The Lucene PMC is pleased to announce that the Solr Reference Guide for 7.7 is now available. This 1,431-page PDF is the definitive guide to using Apache Solr, the search server built on Lucene.

The PDF Guide can be downloaded from: https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-7.7.pdf. It is also available online at https://lucene.apache.org/solr/guide/7_7.

6 March 2019, CVE-2019-0192: Deserialization of untrusted data via jmx.serviceUrl in Apache Solr ¶

Severity: High

Vendor:

The Apache Software Foundation

Versions Affected:

5.0.0 to 5.5.5

6.0.0 to 6.6.5

Description:

ConfigAPI allows to configure Solr's JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side.

Mitigation:

Any of the following are enough to prevent this vulnerability:

Upgrade to Apache Solr 7.0 or later.

Disable the ConfigAPI if not in use, by running Solr with the system property “disable.configEdit=true”

If upgrading or disabling the Config API are not viable options, apply patch in [1] and re-compile Solr.

Ensure your network settings are configured so that only trusted traffic is allowed to ingress/egress your hosts running Solr.

Credit:

Michael Stepankin

References:

1 March 2019, Apache Solr™ 7.7.1 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 7.7.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.7.1 is available for immediate download at: https://lucene.apache.org/solr/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/7_7_1/changes/Changes.html

Solr 7.7.1 Release Highlights:

Bugfix for ClassCastException when URPs try to read a String field which returns a ByteArrayUTF8CHarSequence (a regression in release 7.7.0).

Bugfix: Autoscaling based replica placement was broken out of the box. Solr 7.6 enabled autoscaling based replica placement by default but in the absence of default cluster policies, autoscaling can place more than 1 replica of the same shard on the same node. Also, the maxShardsPerNode and createNodeSet was not respected. Due to these reasons, this issue reverts the default replica placement policy to the 'legacy' assignment policy that was the default until Solr 7.5.

12 February 2019, CVE-2017-3164: SSRF issue in Apache Solr ¶

Severity: High

Vendor:

The Apache Software Foundation

Versions Affected: Apache Solr versions from 1.3 to 7.6.0

Description:

The "shards" parameter does not have a corresponding whitelist mechanism, so it can request any URL.

Mitigation:

Upgrade to Apache Solr 7.7.0 or later. Ensure your network settings are configured so that only trusted traffic is allowed to ingress/egress your hosts running Solr.

Credit:

dk from Chaitin Tech

References:

11 February 2019, Apache Solr™ 7.7.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 7.7.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.7.0 is available for immediate download at: https://lucene.apache.org/solr/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/7_7_0/changes/Changes.html

Solr 7.7.0 Release Highlights:

URI Too Long with large streaming expressions in SolrJ.

A failure while reloading a SolrCore can result in the SolrCore not being closed.

Spellcheck parameters not working in new UI.

New Admin UI Query does not URL-encode the query produced in the URL box.

Rule-base Authorization plugin skips authorization if querying node does not have collection replica.

Solr installer fails on SuSE linux.

Fix incorrect SOLR_SSL_KEYSTORE_TYPE variable in solr start script.

JSON 'terms' Faceting now supports a 'prelim_sort' option to use when initially selecting the top ranking buckets, prior to the final 'sort' option used after refinement.

Add a login page to Admin UI, with initial support for Basic Auth and Kerberos.

New Node-level health check handler at /admin/info/healthcheck and /node/health paths that checks if the node is live, connected to zookeeper and not shutdown.

It is now possible to configure a host whitelist for distributed search.

14 December 2018, Apache Solr™ 7.6.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 7.6.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.6.0 is available for immediate download at: https://lucene.apache.org/solr/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/7_6_0/changes/Changes.html

Solr 7.6.0 Release Highlights:

Field and FieldType now support a new uninvertible option to control using costly field cache or more efficient docValues.

option to control using costly field cache or more efficient docValues. Collections API has been improved to support adding multiple replicas to a collection shard at a time as well as splitting into multiple sub-shards directly..

Autoscaling's suggestions API now include rebalance options as well as suggestions to add new replicas for lost replicas.

Several new Stream Evaluators have been added to include: oscillate, convexHull, enclosingDisk, pairSort, log10, percentiles, and pivot for geometric and scientific analysis.

UnifiedHighlighter has been improved to support best/perfect highlighting accuracy and full phrase highlighting.

24 September 2018, Apache Solr™ 7.5.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 7.5.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.5.0 is available for immediate download at: https://lucene.apache.org/solr/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/7_5_0/changes/Changes.html

Solr 7.5.0 Release Highlights:

Nested/child documents may now be supplied as a field value instead of stand-off. Future releases will leverage this semantic information.

Enhance Autoscaling policy support to equally distribute replicas on the basis of arbitrary properties.

Nodes are now visible inside a view of the Admin UI "Cloud" tab, listing nodes and key metrics.

The status of zookeeper ensemble is now accessible under the Admin UI Cloud tab.

The new Korean morphological analyzer ("nori") has been added to default distribution.

3 July 2018, Apache Solr™ 6.6.5 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.6.5

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.6.5 is available for immediate download at:

http://archive.apache.org/dist/lucene/solr/6.6.5

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/6_6_5/changes/Changes.html

Solr 6.6.5 Release Highlights:

Ability to disable configset upload via -Dconfigset.upload.enabled=false startup parameter

Referal to external resources in various config files now disallowed

27 June 2018, Apache Solr™ 7.4.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 7.4.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.4.0 is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/7_4_0/changes/Changes.html

Solr 7.4.0 Release Highlights:

A new 'relatedness()' aggregate function for JSON Faceting to enable building Semantic Knowledge Graphs.

Added the TaggerRequestHandler (AKA SolrTextTagger) for tagging text. It's used as a component of NER/ERD systems including query-understanding.

The "Auto Scaling" feature area has been added to and enhanced a lot.

The "Streaming Expressions" feature area has been added to and enhanced a lot.

Upgraded from Log4j 1.x to 2.x. Solr continues to log via SLF4J.

18 May 2018, Apache Solr™ 6.6.4 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.6.4

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release includes a bug fix since the 6.6.3 release:

Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing

The release is available for immediate download at:

https://www.apache.org/dyn/closer.lua/lucene/solr/6.6.4

Please read CHANGES.txt for a detailed list of changes:

https://lucene.apache.org/solr/6_6_4/changes/Changes.html

15 May 2018, Apache Solr™ 7.3.1 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 7.3.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release includes 9 bug fixes since the 7.3.0 release. Some of the major fixes are:

Upgrade commons-fileupload dependency to 1.3.3 to address CVE-2016-1000031

Deleting replicas sometimes fails and causes the replicas to exist in the down state

A successful restore collection should mark the shard state as active and not buffering

Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing

Furthermore, this release includes Apache Lucene 7.3.1 which includes 1 bug fix since the 7.3.0 release.

The release is available for immediate download at:

https://www.apache.org/dyn/closer.lua/lucene/solr/7.3.1

Please read CHANGES.txt for a detailed list of changes:

https://lucene.apache.org/solr/7_3_1/changes/Changes.html

8 April 2018, CVE-2018-1308: XXE attack through Apache Solr's DIH's dataConfig request parameter ¶

CVE-2018-1308: XXE attack through Apache Solr's DIH's dataConfig request parameter

Severity: Major

Vendor:

The Apache Software Foundation

Versions Affected:

Solr 1.2 to 6.6.2

Solr 7.0.0 to 7.2.1

Description:

The details of this vulnerability were reported to the Apache Security mailing list.

This vulnerability relates to an XML external entity expansion (XXE) in the &dataConfig=<inlinexml> parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. See [1] for more details.

Mitigation:

Users are advised to upgrade to either Solr 6.6.3 or Solr 7.3.0 releases both of which address the vulnerability. Once upgrade is complete, no other steps are required. Those releases disable external entities in anonymous XML files passed through this request parameter.

If users are unable to upgrade to Solr 6.6.3 or Solr 7.3.0 then they are advised to disable data import handler in their solrconfig.xml file and restart their Solr instances. Alternatively, if Solr instances are only used locally without access to public internet, the vulnerability cannot be used directly, so it may not be required to update, and instead reverse proxies or Solr client applications should be guarded to not allow end users to inject dataConfig request parameters. Please refer to [2] on how to correctly secure Solr servers.

Credit:

麦 香浓郁

References:

[1] https://issues.apache.org/jira/browse/SOLR-11971

[2] https://wiki.apache.org/solr/SolrSecurity

4 April 2018, Apache Solr™ 7.3.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 7.3.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.3.0 is available for immediate download at:

https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/7_3_0/changes/Changes.html

Solr 7.3.0 Release Highlights:

OpenNLP request processors

Automatic time-based collection creation

Multivalued primitive fields can be used in sorting

SortableTextField allows sorting and faceting on free text

New stream evaluators

Improvements around leader-initiated recovery

New autoscaling features

A Prometheus metrics exporter

Filtering with exclusions on parent and child queries

Filtering with exclusions via a new query parser

Neural network modelling via learning to rank

Solr runs with Java 10

The Apache Solr Reference Guide for 7.3 is also available in PDF form or online.

7 March 2018, Apache Solr™ 6.6.3 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.6.3.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release contains three bugfixes:

Disallow reference to external resources in DataImportHandler's dataConfig request parameter

Allow collections created with legacyCloud=true to be opened if legacyCloud=false

LeaderInitiatedRecoveryThread now retries on UnknownHostException

The release is available for immediate download at:

https://lucene.apache.org/solr/mirrors-solr-redir.html

Please read CHANGES.txt for a detailed list of changes:

https://lucene.apache.org/solr/6_6_3/changes/Changes.html

15 January 2018, Apache Solr™ 7.2.1 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 7.2.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release includes 3 bug fixes since the 7.2.0 release:

Overseer can never process some last messages.

Rename core in solr standalone mode is not persisted.

QueryComponent's rq parameter parsing no longer considers the defType parameter.

Fix NPE in SolrQueryParser when the query terms inside a filter clause reduce to nothing.

Furthermore, this release includes Apache Lucene 7.2.1 which includes 1 bug fix since the 7.2.0 release.

The release is available for immediate download at:

https://www.apache.org/dyn/closer.lua/lucene/solr/7.2.1

Please read CHANGES.txt for a detailed list of changes:

https://lucene.apache.org/solr/7_2_1/changes/Changes.html

21 December 2017, Apache Solr™ 7.2.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 7.2.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.2.0 is available for immediate download at:

https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/7_2_0/changes/Changes.html

Solr 7.2.0 Release Highlights:

Bi-directional syncing of CDCR clusters is now supported.

The new synonymQueryStyle field type option allows for better scoring when terms at the same position are hyponyms/hypernyms rather than synonyms.

More stream evaluators, including: matrix operations; spline; derivative; regression; normalization; scaling; correlation; markov chains; time series differencing; and triangular and geometric distributions.

The new facet.matches parameter returns facet buckets only for terms that match a regular expression.

New Autoscaling features: the autoscaling/suggestions API end-point; the UTILIZENODE command, which moves replicas according to autoscaling policies and preferences; and the Autoscaling set-property command.

2 November 2017, Apache Solr Reference Guide for 7.1 available ¶

The Lucene PMC is pleased to announce that the Solr Reference Guide for 7.1 is now available.

This 1,077-page PDF is the definitive guide to using Apache Solr, the search server built on Lucene.

The PDF Guide can be downloaded from: https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-7.1.pdf.

It is also available online at https://lucene.apache.org/solr/guide/7_1.

26 October 2017, CVE-2016-6809: Java code execution for serialized objects embedded in MATLAB files parsed by Apache Solr using Tika ¶

Severity: Important

Vendor:

The Apache Software Foundation

Versions Affected:

Solr 5.0.0 to 5.5.4

Solr 6.0.0 to 6.6.1

Solr 7.0.0 to 7.0.1

Description:

Apache Solr uses Apache Tika for parsing binary file types such as doc, xls, pdf etc. Apache Tika wraps the jmatio parser (https://github.com/gradusnikov/jmatio) to handle MATLAB files. The parser uses native deserialization on serialized Java objects embedded in MATLAB files. A malicious user could inject arbitrary code into a MATLAB file that would be executed when the object is deserialized.

This vulnerability was originally described at http://mail-archives.apache.org/mod_mbox/tika-user/201611.mbox/%3C2125912914.1308916.1478787314903%40mail.yahoo.com%3E

Mitigation:

Users are advised to upgrade to either Solr 5.5.5 or Solr 6.6.2 or Solr 7.1.0 releases which have fixed this vulnerability.

Solr 5.5.5 upgrades the jmatio parser to v1.2 and disables the Java deserialisation support to protect against this vulnerability.

Solr 6.6.2 and Solr 7.1.0 have upgraded the bundled Tika to v1.16.

Once upgrade is complete, no other steps are required.

References:

24 October 2017, Apache Solr™ 5.5.5 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 5.5.5.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release contains one bugfix.

This release includes one critical and one important security fix. Details:

Fix for a 0-day exploit (CVE-2017-12629), details: https://s.apache.org/FJDl. RunExecutableListener has been disabled by default (can be enabled by -Dsolr.enableRunExecutableListener=true) and resolving external entities in the XML query parser (defType=xmlparser or {!xmlparser ... }) is disabled by default.

Fix for CVE-2017-7660: Security Vulnerability in secure inter-node communication in Apache Solr, details: https://s.apache.org/APTY

Furthermore, this release includes Apache Lucene 5.5.5 which includes one security fix since the 5.5.4 release.

The release is available for immediate download at:

https://www.apache.org/dyn/closer.lua/lucene/solr/5.5.5

Please read CHANGES.txt for a detailed list of changes:

https://lucene.apache.org/solr/5_5_5/changes/Changes.html

18 October 2017, Apache Solr™ 6.6.2 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.6.2

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Highlights for this Solr release includes:

Critical security fix: Fix for a 0-day exploit (CVE-2017-12629), details: https://s.apache.org/FJDl. RunExecutableListener has been disabled by default (can be enabled by -Dsolr.enableRunExecutableListener=true) and resolving external entities in the XML query parser (defType=xmlparser or {!xmlparser ... }) is disabled by default.

Fix for a bug where Solr was attempting to load the same core twice (Error message: "Lock held by this virtual machine").

The release is available for immediate download at:

https://www.apache.org/dyn/closer.lua/lucene/solr/6.6.2

Please read CHANGES.txt for a detailed list of changes:

https://lucene.apache.org/solr/6_6_2/changes/Changes.html

18 October 2017, Several critical vulnerabilities discovered in Apache Solr (XXE & RCE) ¶

Severity:

Critical

Vendor:

The Apache Software Foundation

Versions Affected:

Solr 5.5.0 to 5.5.4

Solr 6.0.0 to 6.6.1

Solr 7.0.0 to 7.0.1

Description:

The details of this vulnerability were reported on public mailing lists. See https://s.apache.org/FJDl

The first vulnerability relates to XML external entity expansion in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser. This can be exploited to upload malicious data to the /upload request handler. It can also be used as Blind XXE using ftp wrapper in order to read arbitrary local files from the solr server.

The second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr.

At the time of the above report, this was a 0-day vulnerability with a working exploit affecting the versions of Solr mentioned in the previous section. However, mitigation steps were announced to protect Solr users the same day. See https://lucene.apache.org/solr/news.html#12-october-2017-please-secure-your-apache-solr-servers-since-a-zero-day-exploit-has-been-reported-on-a-public-mailing-list

Mitigation:

Users are advised to upgrade to either Solr 6.6.2 or Solr 7.1.0 releases both of which address the two vulnerabilities. Once upgrade is complete, no other steps are required.

If users are unable to upgrade to Solr 6.6.2 or Solr 7.1.0 then they are advised to restart their Solr instances with the system parameter -Ddisable.configEdit=true . This will disallow any changes to be made to your configurations via the Config API. This is a key factor in this vulnerability, since it allows GET requests to add the RunExecutableListener to your config. Users are also advised to re-map the XML Query Parser to another parser to mitigate the XXE vulnerability. For example, adding the following to the solrconfig.xml file re-maps the xmlparser to the edismax parser: <queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin"/>

Credit:

Michael Stepankin (JPMorgan Chase)

Olga Barinova (Gotham Digital Science)

References:

17 October 2017, Apache Solr™ 7.1.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 7.1.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

The release is available for immediate download at:

https://www.apache.org/dyn/closer.lua/lucene/solr/7.1.0

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/7_1_0/changes/Changes.html

Highlights for this Solr release include:

Critical Security Update: Fix for CVE-2017-12629 which is a working 0-day exploit reported on the public mailing list.

Auto-scaling: Solr can now move replicas automatically when a new node is added or an existing node is removed using the auto scaling policy framework introduced in 7.0

Auto-scaling: The 'autoAddReplicas' feature which was limited to shared file systems is now available for all file systems. It has been ported to use the new autoscaling framework internally.

Auto-scaling: New set-trigger, remove-trigger, set-listener, remove-listener, suspend-trigger, resume-trigger APIs

Auto-scaling: New /autoscaling/history API to show past autoscaling actions and cluster events

New JSON based Query DSL for Solr that extends JSON Request API to also support all query parsers and their nested parameters

JSON Facet API: min/max aggregations are now supported on single-valued date fields

Lucene's Geo3D (surface of sphere & ellipsoid) is now supported on spatial RPT fields by setting spatialContextFactory="Geo3D". Furthermore, this is the first time Solr has out of the box support for polygons

Expanded support for statistical stream evaluators such as various distributions, rank correlations, distances and more.

Multiple other optimizations and bug fixes

You are encouraged to thoroughly read the "Upgrade Notes" at https://lucene.apache.org/solr/7_1_0/changes/Changes.html or in the CHANGES.txt file accompanying the release.

Solr 7.1 also includes many other new features as well as numerous optimizations and bugfixes of the corresponding Apache Lucene release.

12 October 2017, Please secure your Apache Solr servers since a zero-day exploit has been reported on a public mailing list ¶

Please secure your Solr servers since a zero-day exploit has been reported on a public mailing list. This has been assigned a public CVE (CVE-2017-12629) which we will reference in future communication about resolution and mitigation steps.

Here is what we're recommending and what we're doing now:

Until fixes are available, all Solr users are advised to restart their Solr instances with the system property -Ddisable.configEdit=true . This will disallow any changes to be made to configurations via the Config API. This is a key factor in this vulnerability, since it allows GET requests to add the RunExecutableListener to the config. This is sufficient to protect you from this type of attack, but means you cannot use the edit capabilities of the Config API until the other fixes described below are in place. Users are also advised to remap the XML Query Parser to another parser to mitigate the XXE vulnerability. For example, adding the following to the solrconfig.xml file maps the xmlparser to the edismax parser: <queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin"/> .

A new release of Lucene/Solr was in the vote phase, but we have now pulled it back to be able to address these issues in the upcoming 7.1 release. We will also determine mitigation steps for users on earlier versions, which may include a 6.6.2 release for users still on 6.x.

The RunExecutableListener will be removed in 7.1. It was previously used by Solr for index replication but has been replaced and is no longer needed.

The XML Parser will be fixed and the fixes will be included in the 7.1 release.

The 7.1 release was already slated to include a change to disable the stream.body parameter by default, which will further help protect systems.

6 October 2017, Apache Solr™ 7.0.1 available ¶

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.0.1 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

This release includes 2 bug fixes since the 7.0.0 release:

Solr 7.0 cannot read indexes from 6.x versions.

Message "Lock held by this virtual machine" during startup. Solr is trying to start some cores twice.

Furthermore, this release includes Apache Lucene 7.0.1 which includes 1 bug fix since the 7.0.0 release.

The release is available for immediate download at:

https://www.apache.org/dyn/closer.lua/lucene/solr/7.0.1

Please read CHANGES.txt for a detailed list of changes:

https://lucene.apache.org/solr/7_0_1/changes/Changes.html

2 October 2017, Apache Solr Reference Guide for 7.0 available ¶

The Lucene PMC is pleased to announce the release of the Apache Solr Reference Guide for Solr 7.0.

This 1,035-page PDF is the definitive guide to Solr. This version adds documentation for new features of Solr, plus detailed information about changes and deprecations you should know about when upgrading from Solr 6.x to Solr 7.0.

You can download the PDF from: https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-7.0.pdf.

An HTML version is also available from: https://lucene.apache.org/solr/guide/7_0/.

20 September 2017, Apache Solr™ 7.0.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 7.0.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.0.0 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Highlights for this Solr release include:

Replica Types - Solr 7 supports different replica types, which handle updates differently. In addition to pure NRT operation where all replicas build an index and keep a replication log, you can now also add so called PULL replicas, achieving the read-speed optimized benefits of a master/slave setup while at the same time keeping index redundancy.

Auto-scaling. Solr can now allocate new replicas to nodes using a new auto scaling policy framework. This framework will in future releases enable Solr to move shards around based on load, disk etc.

Indented JSON is now the default response format for all APIs, pass wt=xml and/or indent=off to use the previous unindented XML format.

The JSON Facet API now supports two-phase facet refinement to ensure accurate counts and statistics for facet buckets returned in distributed mode.

Streaming Expressions adds a new statistical programming syntax for the statistical analysis of sql queries, random samples, time series and graph result sets.

Analytics Component version 2.0, which now supports distributed collections, expressions over multivalued fields, a new JSON request language, and more.

The new v2 API, exposed at /api/ and also supported via SolrJ, is now the preferred API, but /solr/ continues to work.

A new '_default' configset is used if no config is specified at collection creation. The data-driven functionality of this configset indexes strings as analyzed text while at the same time copying to a '*_str' field suitable for faceting.

Solr 7 is tested with and verified to support Java 9.

See the Solr CHANGES.txt files included with the release for a full list of details.

18 September 2017, CVE-2017-9803: Security vulnerability in kerberos delegation token functionality** ¶

CVE-2017-9803: Security vulnerability in kerberos delegation token functionality

Severity: Important

Vendor:

The Apache Software Foundation

Versions Affected:

Solr 6.2.0 to 6.6.0

Description:

Solr's Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an end-user or another application. There are two issues with this functionality (when using SecurityAwareZkACLProvider type of ACL provider e.g. SaslZkACLProvider),

Firstly, access to the security configuration can be leaked to users other than the solr super user. Secondly, malicious users can exploit this leaked configuration for privilege escalation to further expose/modify private data and/or disrupt operations in the Solr cluster.

The vulnerability is fixed from Solr 6.6.1 onwards.

Mitigation:

6.x users should upgrade to 6.6.1

Credit:

This issue was discovered by Hrishikesh Gadre of Cloudera Inc.

References:

7 September 2017, Apache Solr™ 6.6.1 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.6.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.6.1 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

This release includes 15 bug fixes since the 6.6.0 release. Some of the major fixes are:

Standalone Solr loads UNLOADed core on request

ParallelStream should set the StreamContext when constructing SolrStreams

CloudSolrStream.toExpression incorrectly handles fq clauses

CoreContainer.load needs to send lazily loaded core descriptors to the proper list rather than send them all to the transient lists

Creating a core should write a core.properties file first and clean up on failure

Clean up a few details left over from pluggable transient core and untangling

Provide a way to know when Core Discovery is finished and when all async cores are done loading

CDCR bootstrapping can get into an infinite loop when a core is reloaded

SolrJmxReporter is broken on core reload. This resulted in some or most metrics not being reported via JMX after core reloads, depending on timing

Creating a core.properties fails if the parent of core.properties is a symlinked directory

StreamHandler should allow connections to be closed early

Certain admin UI pages would not load up correctly with kerberos enabled

Fix DOWNNODE -> queue-work znode explosion in ZooKeeper

Upgrade to Hadoop 2.7.4 to fix incompatibility with Java 9

Fix bin/solr.cmd so it can run properly on Java 9

Furthermore, this release includes Apache Lucene 6.6.1 which includes 2 bug fixes since the 6.6.0 release.

See the Solr CHANGES.txt files included with the release for a full list of details.

7 July 2017, CVE-2017-7660: Security Vulnerability in secure inter-node communication in Apache Solr** ¶

CVE-2017-7660: Security Vulnerability in secure inter-node communication in Apache Solr

Severity: Important

Vendor:

The Apache Software Foundation

Versions Affected:

Solr 5.3 to 5.5.4

Solr 6.0 to 6.5.1

Description:

Solr uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that does not exist as part of the cluster and point it to a malicious node. This can trick the nodes in cluster to believe that the malicious node is a member of the cluster. So, if Solr users have enabled BasicAuth authentication mechanism using the BasicAuthPlugin or if the user has implemented a custom Authentication plugin, which does not implement either "HttpClientInterceptorPlugin" or "HttpClientBuilderPlugin", his/her servers are vulnerable to this attack. Users who only use SSL without basic authentication or those who use Kerberos are not affected.

Mitigation:

6.x users should upgrade to 6.6.0 or higher

5.x users should obtain the latest source from git and apply this patch: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/2f5ecbcf

Credit:

This issue was discovered by Noble Paul of Lucidworks Inc.

References:

6 June 2017, Apache Solr™ 6.6.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.6.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.6.0 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Highlights of this Solr release include:

Payload support with payload() value source and {!payload_score} and {!payload_check} query parsers

Solr support for SimpleTextCodec

Multi-field support to TermsComponent when requesting terms' statistics

New AtomicUpdateProcessor to convert normal update operations to atomic update operations

UPLOAD command (Config Set API) for uploading zipped configsets

MOVEREPLICA command (Collections API) for moving a replica across nodes

LISTALIASES command (Collections API) to return a list of all collection aliases

STATUS command (Core Admin API) to emit collection details of each core

Basic authentication can be enabled/disabled using bin/solr|bin/solr.cmd

Solr default/example uses WordDelimiterGraphFilterFactory and SynonymGraphFilterFactory

Expose cache statistics using metrics API

CloudSolrClient can now be initialized using the base URL of a Solr instance instead of ZooKeeper hosts

Grouping, CollapseQParser and ExpandComponent support with PointFields

Variance and Standard Deviation aggregators for the JSON Facet API

JSON Faceting now supports a query time 'join' domain change option

CartesianProductStream, which turns a single tuple with a multi-valued field into N tuples, one for each value in the multi-valued field

New Streaming Evaluators: Basic math, UUID, Date/time, correlation, regress, predict, covariance, convolution, normalize

New Streaming Expressions: shuffle, echo, eval, timeseries, let, get, tuple

See the Solr CHANGES.txt files included with the release for a full list of details.

27 April 2017, Apache Solr™ 6.5.1 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.5.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.5.1 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

This release includes 11 bug fixes since the 6.5.0 release. Some of the major fixes are:

bin\solr.cmd delete and healthcheck now works again; fixed continuation chars ^

Fix debug related NullPointerException in solr/contrib/ltr OriginalScoreFeature class.

The JSON output of /admin/metrics is fixed to write the container as a map (SimpleOrderedMap) instead of an array (NamedList).

On 'downnode', lots of wasteful mutations are done to ZK.

Fix params persistence for solr/contrib/ltr (MinMax|Standard)Normalizer classes.

The fetch() streaming expression wouldn't work if a value included query syntax chars (like :+-). Fixed, and enhanced the generated query to not pollute the queryCache.

Disable graph query production via schema configuration <fieldtype ... enableGraphQueries="false"> . This fixes broken queries for ShingleFilter-containing query-time analyzers when request param sow=false.

Fix indexed="false" on numeric PointFields

SQL AVG function mis-interprets field type.

SQL interface does not use client cache.

edismax with sow=false fails to create dismax-per-term queries when any field is boosted.

Furthermore, this release includes Apache Lucene 6.5.1 which includes 3 bug fixes since the 6.5.0 release.

See the Solr CHANGES.txt files included with the release for a full list of details.

27 March 2017, Apache Solr™ 6.5.0 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.5.0.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.5.0 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Highlights of this Solr release include:

PointFields (fixed-width multi-dimensional numeric & binary types enabling fast range search) are now supported

In-place updates to numeric docValues fields (single valued, non-stored, non-indexed) supported using atomic update syntax

A new LatLonPointSpatialField that uses points or doc values for query

It is now possible to declare a field as "large" in order to bypass the document cache

New sow=false request param (split-on-whitespace) for edismax & standard query parsers enables query-time multi-term synonyms

XML QueryParser (defType=xmlparser) now supports span queries

hl.maxAnalyzedChars now have consistent default across highlighters

UnifiedSolrHighlighter and PostingsSolrHighlighter now support CustomSeparatorBreakIterator

Scoring formula is adjusted for the scoreNodes function

Calcite Planner now applies constant Reduction Rules to optimize plans

A new significantTerms Streaming Expression that is able to extract the significant terms in an index

StreamHandler is now able to use runtimeLib jars

Arithmetic operations are added to the SelectStream

Added modernized self-documenting /v2 API

The .system collection is now created on first request if it does not exist

Admin UI: Added shard deletion button

Metrics API now supports non-numeric metrics (version, disk type, component state, system properties...)

The disk free and aggregated disk free metrics are now reported

The DirectUpdateHandler2 now implements MetricsProducer and exposes stats via the metrics api and configured reporters.

BlockCache is faster due to less failures when caching a new block

MMapDirectoryFactory now supports "preload" option to ask mapped pages to be loaded into physical memory on init

Security: BasicAuthPlugin now supports standalone mode

Arbitrary java system properties can be passed to zkcli

SolrHttpClientBuilder can be configured via java system property

Javadocs and Changes.html are no longer included in the binary distribution, but are hosted online

See the Solr CHANGES.txt files included with the release for a full list of details.

7 March 2017, Apache Solr™ 6.4.2 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.4.2.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.4.2 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Highlights of this Solr release include:

Fixed: Serious performance degradation in Solr 6.4 due to the metrics collection. IndexWriter metrics collection turned off by default, directory level metrics collection completely removed (until a better design is found)

Fixed: Transaction log replay can hit an NullPointerException due to new Metrics code

Fixed: NullPointerException in CloudSolrClient when reading stale alias

Fixed: UnifiedHighlighter and PostingsHighlighter bug in PrefixQuery and TermRangeQuery for multi-byte text

See the Solr CHANGES.txt files included with the release for a full list of details.

17 February 2017, Apache Solr Reference Guide for 6.4 Available ¶

The Lucene PMC is pleased to announce that the Solr Reference Guide for Solr 6.4 has been released.

This 763-page PDF is the definitive guide to using Apache Solr. It can be downloaded from:

https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-6.4.pdf

15 February 2017, Apache Solr™ 5.5.4 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 5.5.4.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 5.5.4 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Highlights of this Solr release include:

Better validation of filename params in ReplicationHandler

Upgraded commons-fileupload to 1.3.2, fixing a potential vulnerability CVE-2016-3092

See the Solr CHANGES.txt files included with the release for a full list of details.

15 February 2017, CVE-2017-3163: Apache Solr ReplicationHandler path traversal attack** ¶

CVE-2017-3163: Apache Solr ReplicationHandler path traversal attack

Severity: Moderate

Vendor:

The Apache Software Foundation

Versions Affected:

Solr 1.4 to 6.4.0

Description:

When using the Index Replication feature, Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access.

Mitigation:

6.x users should upgrade to 6.4.1

5.x users should upgrade to 5.5.4

4.x, 3.x and 1.4 users should upgrade to a supported version of Solr or setup proper firewalling, or disable the ReplicationHandler if not in use.

Credit:

This issue was discovered by ﻿Hrishikesh Gadre of Cloudera Inc.

References:

6 February 2017, Apache Solr™ 6.4.1 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.4.1.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.4.1 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Highlights of this Solr release include:

"Plugin/Stats" section of the UI doesn't display empty metric types

SOLR_SSL_OPTS was mistakenly overwritten in solr.cmd

Better validation of filename params in ReplicationHandler

Core swapping did not work with new metrics changes in place

Admin UI could not find DataImport handlers due to metrics changes

AnalyzingInfixSuggester/BlendedInfixSuggester now work with core reload

See the Solr CHANGES.txt files included with the release for a full list of details.

23 January 2017, Apache Solr™ 6.4.0 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.4.0.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.4.0 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Highlights of this Solr release include:

Streaming:

Addition of a HavingStream to Streaming API and Streaming Expressions

Addition of a priority Streaming Expression

Streaming expressions now support collection aliases

Machine Learning:

Configurable Learning-To-Rank (LTR) support: upload feature definitions, extract feature values, upload your own machine learnt models and use them to rerank search results.

Faceting:

Added "param" query type to facet domain filter specification to obtain filters via query parameters

Any facet command can be filtered using a new parameter filter. Example: { type:terms, field:category, filter:"user:yonik" }

Scripts / Command line:

A new command-line tool to manage the snapshots functionality

bin/solr and bin/solr.cmd now use mkroot command

SolrCloud / SolrJ

LukeResponse now supports dynamic fields

Solrj client now supports hierarchical clusters and other topics marker

Collection backup/restore are extensible.

Security:

Support Secure Impersonation / Proxy User for Solr authentication

Key Store type can be specified in solr.in.sh file for SSL

New generic authentication plugins: 'HadoopAuthPlugin' and 'ConfigurableInternodeAuthHadoopPlugin' that delegate all functionality to Hadoop authentication framework

Query / QueryParser / Highlighting:

A new highlighter: The Unified Highlighter. Try it via hl.method=unified ; many popular highlighting parameters / features are supported. It's the highest performing highlighter, especially for large documents. Highlighting phrase queries and exotic queries are supported equally as well as the Original Highlighter (aka the default/standard one). Please use this new highlighter and report issues since it will likely become the default one day.

Leading wildcard in complexphrase query parser are now accepted and optimized with the ReversedWildcardFilterFactory when it's provided

Metrics:

Use metrics-jvm library to instrument jvm internals such as GC, memory usage and others.

A lot of metrics have been added to the collection: index merges, index store I/Os, query, update, core admin, core load thread pools, shard replication, tlog replay and replicas

A new /admin/metrics API to return all metrics collected by Solr via API.

Misc changes:

The new config parameter 'maxRamMB'can now limit the memory consumed by the FastLRUCache

A new document processor 'SkipExistingDocumentsProcessor' that skips duplicate inserts and ignores updates to missing docs

FieldCache information fetched via the mbeans handler or seen via the UI now displays the total size used.

A new config flag 'enable' allows to enable/disable any cache

Please note, this release cannot be built from source with Java 8 update 121, use an earlier version instead! This is caused by a bug introduced into the Javadocs tool shipped with that update. The workaround was too late for this Lucene release. Of course, you can use the binary artifacts.

See the Solr CHANGES.txt files included with the release for a full list of details.

16 November 2016, Apache Solr Reference Guide for 6.3 Available ¶

The Lucene PMC is pleased to announce that the Solr Reference Guide for Solr 6.3 has been released.

This 736-page PDF is the definitive guide to using Apache Solr. It can be downloaded from:

https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-6.3.pdf

8 November 2016, Apache Solr™ 6.3.0 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.3.0.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.3.0 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Highlights of this Solr release include:

DocValues, streaming, /export, machine learning

Optimize, store and deploy AI models in Solr

Ability to add custom streaming expressions

New streaming expressions such as "fetch", "executor", and "commit" added.

Parallel SQL accepts <, >, =, etc., symbols.

Support facet scoring with the scoreNodes expression

Retrieving docValues as stored values was sped up by using the proper leaf reader rather than ask for a global view. In extreme cases, this leads to a 100x speedup.

Faceting:

facet.method=enum can bypass exact counts calculation with facet.exists=true, it just returns 1 for terms which exists in result docset

Add "overrequest" parameter to JSON Facet API to control amount of overrequest on a distributed terms facet

Logging:

You can now set Solr's log level through environment variable SOLR_LOG_LEVEL

GC logs are rotated by JVM to a max of 9 files, and backed up via bin/solr scripts

Solr's logging verbosity at the INFO level has been greatly reduced by moving much logging to DEBUG level

The solr-8983-console.log file now only logs STDOUT and STDERR output, not all log4j logs as before

Solr's main log file, solr.log, is now written to SOLR_LOGS_DIR without changing log4j.properties

Start scripts:

Allow 180 seconds for shutdown before killing solr (configurable, old limit 5s) (Unix only)

Start scripts now exits with informative message if using wrong Java version

Fixed "bin/solr.cmd zk upconfig" command which was broken on windows

You can now ask for DEBUG logging simply with '-v' option, and for WARN logging with '-q' option

SolrCloud:

The DELETEREPLICA API can accept a 'count' parameter and remove "count" number of replicas from each shard if the shard name is not provided

The config API shows expanded useParams for request handlers inline

Ability to create/delete/list snapshots at collection level

The modify collection API now waits for the modified properties to show up in the cluster state before returning

Many bug fixes related to SolrCloud recovery for data safety and faster recovery times.

Security:

SolrJ now supports Kerberos delegation tokens

Pooled SSL connections were not being re-used. This is now fixed.

Fix for the blockUnknown property which made inter-node communication impossible

Support SOLR_AUTHENTICATION_OPTS and SOLR_AUTHENTICATION_CLIENT_CONFIGURER in windows bin/solr.cmd script

New parameter -u in bin/post to pass basicauth credentials

Misc changes:

Optimizations to lower memory allocations when indexing JSON as well as for replication between solr cloud nodes.

A new Excel workbook (.xlsx) response writer has been added. Use 'wt=xlsx' request parameter on a query request to enable.

See the Solr CHANGES.txt files included with the release for a full list of details.

20 September 2016, Apache Solr™ 6.2.1 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.2.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release includes 11 bug fixes since the 6.2.0 release. Some of the major fixes are:

SOLR-9490: BoolField always returning false for non-DV fields when javabin involved (via solrj, or intra node communication)

SOLR-9188: BlockUnknown property makes inter-node communication impossible

SOLR-9389: HDFS Transaction logs stay open for writes which leaks Xceivers

SOLR-9438: Shard split can fail to write commit data on shutdown leading to data loss

Furthermore, this release includes Apache Lucene 6.2.1 which includes 3 bug fixes since the 6.2.0 release.

The release is available for immediate download at: https://www.apache.org/dyn/closer.lua/lucene/solr/6.2.1

See the CHANGES.txt file included with the release for a detailed list of changes.

13 September 2016, Apache Solr Reference Guide for 6.2 available ¶

The Lucene PMC is pleased to announce that the Solr Reference Guide for Solr 6.2 has been released.

This 717-page PDF is the definitive guide to using Apache Solr. It can be downloaded from:

https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-6.2.pdf

9 September 2016, Apache Solr 5.5.3 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 5.5.3

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release includes 5 bug fixes since the 5.5.2 release.

This release specially contains 2 critical fixes: * The number of TCP connections in CLOSE_WAIT state do not spike during indexing, * PeerSync no longer fails on a node restart due to IndexFingerPrint mismatch.

The release is available for immediate download at: https://www.apache.org/dyn/closer.lua/lucene/solr/5.5.3

See the CHANGES.txt file included with the release for a detailed list of changes.

25 August 2016, Apache Solr 6.2.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.2.0.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.2.0 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Solr 6.2 Release Highlights:

DocValues, streaming, /export, machine learning

DocValues can now be used with BoolFields

Date and boolean support added to /export handler

Add "scoreNodes" streaming graph expression

Support parallel ETL with the "topic" expression

Feature selection and logistic regression on text via new streaming expressions: "features" and "train"

bin/solr script

Add basic auth support to the bin/solr script

File operations to/from Zookeeper are now supported

SolrCloud

New tag 'role' in replica placement rules, e.g. rule=role:!overseer keeps new repicas off overseer nodes

CDCR: fall back to whole-index replication when tlogs are insufficient

New REPLACENODE command to decommission an existing node and replace it with another new node

New DELETENODE command to delete all replicas on a node

Security

Add Kerberos delegation token support

Support secure impersonation / proxy user for Kerberos authentication

Misc changes

A large number of regressions were fixed in the new Admin UI

New boolean comparison function queries comparing numeric arguments: gt, gte, lt, lte, eq

Upgraded Extraction module to Apache Tika 1.13.

Updated to Hadoop 2.7.2

See the CHANGES.txt file included with the release for a detailed list of changes.

25 June 2016, Apache Solr 5.5.2 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 5.5.2

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PD