On 10/13/2017 7:13 AM, Rick Leir wrote: > What is the earliest version which was vulnerable?
The XML query parser was added to Solr in version 5.5. Since that's a critical part of the remote exploit, that's the minimum version to be worried about in situations where end users cannot reach Solr directly. If end users have direct access to the Solr server, then that opens up a whole different class of problems. https://issues.apache.org/jira/browse/SOLR-839 Because the XML parser is enabled by default in Solr without any configuration, currently the only way to "turn off" that parser is to redefine the "xmlparser" name to another parser, with a config line like this in solrconfig.xml: <queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin"/> This config doesn't actually unload the XML parser, but it does effectively make it inaccessible, because the name is redirected to a different parser. I opened this issue: https://issues.apache.org/jira/browse/SOLR-11495 Thanks, Shawn
