SearchStax Help Center


Why is the Config API disabled?

SearchStax Managed Search service users sometimes discover that the Config API feature has been disabled in their Managed Search deployments by the Solr system property disable.configEdit=true. (It has no effect on config upload using zkcli.sh/bat.)

In March 2019, Apache reported Critical Vulnerability CVE-2019-0192 (CVSS Score: 9.8). This vulnerability lets people use the Config API to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr’s unsafe deserialization to trigger remote code execution on the Solr side. This vulnerability was fixed in Solr 6.6.6.

Then in October 2020, Apache reported Critical Vulnerability CVE-2020-13957 (CVSS Score 9.8). There was a work-around to the previous fix. This vulnerability was fixed in Solr 8.6.2.

SearchStax decided to patch all existing deployments to using disable.configEdit=true. We sent out email at that time to all active SearchStax users notifying them of this change.

We do not impose this restriction on our VPC clients because their deployments are secure against this kind of exploit.

If you would like us to enable the Config API for a specific deployment, we will be happy to help you. However, since this is a critical vulnerability, we require you to first secure Solr by IP Filtering and/or by Solr Basic Auth.

Questions?

Do not hesitate to contact the SearchStax Support Desk.


Return to Frequently Asked Questions.