SearchStax Help Center


Why is the Configset API Disabled?

Users of Solr versions 6.6.0 to 8.6.2 sometimes discover that the Solr Configsets API feature has been disabled in their SearchStax Managed Search service deployments by the system property configset.upload.enabled=false. (It has no effect on config upload using zkcli.sh/bat.)

In October 2020, Apache reported Critical Vulnerability CVE-2020-13957 (CVSS Score: 9.8). This vulnerability lets people attack your system through the configset.​upload.​enabled feature. For more information, see New Vulnerability Identified in Apache Solr — CVE-2020-13957.

SearchStax decided to patch all existing deployments to disable configset.upload.enabled. We sent out email at that time to all active SearchStax users notifying them of this change.

We do not impose this restriction on our VPC clients because their deployments are secure against this kind of exploit.

If you would like us to enable configset.upload.enabled for a specific deployment, we will be happy to do so. However, since this is a critical vulnerability, we require you to first secure Solr by IP Filtering and/or by Solr Basic Auth.

This vulnerability has been fixed in Solr 8.6.3.

SearchStax Managed Search deployments using Solr 8.6.3 (or higher) no longer have configset.upload.enable blocked.

If this situation impedes your project, consider upgrading to a higher version of Solr. 8.x.

Questions?

Do not hesitate to contact the SearchStax Support Desk.


Return to Frequently Asked Questions.