Upgrade or patch for SOLR in ColdFusion 2021 to current

Report · Apr 08, 2022

Receiving vulnerability scan issue with SOLR version in ColdFusion 2022. Seems to be 5. version and current version is SOLR 8.11

Is there a way to upgrade or will Adobe add it to next CF hotfix

scan shows

Apache Solr < 8.4.0 Remote Code Execution

Report · Apr 08, 2022

While not an official answer (let's hope you may hear one here), I'll share what I've shared to clients who have asked me this directly:

1) First, I'm afraid there is not a current solution for us to update the Solr engine implemented by Adobe in the CF Add-on service. We must wait for them, though removing the feature entirely is an option for some, and implementing an updated Solr separately may be an option for others. Let me elaborate on those.

This is one of those things (like the Tomcat underlying CF) where it seems we can't do an update ourselves, as the integration in CF is so tight that there's no obvious way to update what they provide. And even if we may hack it out of desperation (or install a new version of our own and try to delete their old one), we can't know what may break in the CF integration with that thing.

And it's not just that need to update it for the sake of the Solr version, but also because the implementation of this "CF add on service" (which provides that built-in CF implementation of Solr as welll as support for the CFHTMLtoPDF tag, new in CF11) happens to still have a log4j1.x jar that was NOT corrected in the Dec updates to CF2021 and 2018. [Update in 2023: that was finally fixed in CF updates in 2022.]

All this is not a good place to be as a server admin when you have sec teams breathing down your neck. So what to do?

2) Well again we can hope that some CF update may address this need to keep Solr updated (as well as the need of a tomcat update, which should get flagged by your sec people also). Sadly, as you can see it's been a long time since the Solr embedded with CF was updated. But again I'd hope that both the log4j issue AND what you point out may motivate them to get on the stick about such an update.

3) Next, if you don't USE the CF Solr feature, then you could of course REMOVE the CF add-on service. While it can be installed either with the CF installer itself or its own (CF Addon service installer), either will setup an uninstall capability, so that it could be removed.

As for knowing whether your code leverages the features that the add-on service adds, you could certainly try to search your code base for references to the tags/script statements related to CF's solr support (cfsearch, cfindex, and cfcollection) or that cfhtmltopdf tag (added in CF11). Better still, those with CF2021 could also use its new cfpm commandline tool, which has a feature to "scan" your code and identify what cf packages/modules you need. If you did that and it reported no need of the "search" or "htmltopdf" modules, then you could remove that CF add-on service.

4) Finally, it's worth noting that one CAN install their OWN implementation of Solr. Note that the CF Admin page for solr (like the CF Admin page for PDF services) lets you point to any Solr engine on any server/port.

Beware if you DO point CF to a newer Solr engine there's no guarantee from Adobe that your cfsearch/cfindex/cfcollection code will work fine--at least not until THEY implement a new version for us. But I'm just saying it's an option worth trying before giving up all hope.

Also, one can switch from using those CF tags to instead using cfhttp to call the Solr engine, since those tags all result in an http call to the Solr engine. And you may HAVE to if CF can no longer call to a newer Solr engine you may implement. I can help those interested in pursuing that, both in seeing what CF generates (it's logged by the Solr/Jetty implementation), and even in seeing how you could use this capability to do even MORE powerful things than the CF tags alone, especially cfsearch, offer.

5) And of course, if what I offer here does not suffice or they don't respond here, you could file a ticket at tracker.adobe.com. I can confirm I did a search for solr in either the title or description and see none since July 2021. If you do open one, add a link to the ticket here, for others to follow-along, vote, etc. Or you can send an email to cfsup@adobe.com.

Either way, do be specific about what minimum solr update you need them to be at to pass the scans. And don't presume others have already reported it. Too many take that stance and only mutter about things lacking in cf. As the saying goes, it's better to light one candle than to curse the darkness.

/Charlie (troubleshooter, carehart.org)

Report · Apr 11, 2022

Receiving vulnerability scan issue with SOLR version in ColdFusion 2022. ...

By @johnthomas

Just to be sure, do you mean ColdFusion 2021?

Report · Apr 11, 2022

Note that he says 2021 in the subject.

Do either of you have a comment on all that I offered in reply, that day he asked?

/Charlie (troubleshooter, carehart.org)

Report · Apr 11, 2022

Receiving vulnerability scan issue with SOLR version in ColdFusion 2022. Seems to be 5. version and current version is SOLR 8.11

...

scan shows

Apache Solr < 8.4.0 Remote Code Execution

By @johnthomas

The current SOLR version is 8.11.1. The version you mention, 8.11, has itself been found to be vulnerable. See Solr Security News.

Is there a way to upgrade or will Adobe add it to next CF hotfix

By @johnthomas

The way I see it, Adobe's ColdFusion Team is best placed to answer that. So I shall not comment, except to make a suggestion to fellow developers.

If you follow the above Solr link, you will see the mitigation strategy recommended for the vulnerability identified in each of the latest Solr versions. Implementing one or more of these - if and where possible - might just be sufficient in your case.

Report · Apr 11, 2022

BKBK, can you please clarify if you are stating things in CONTRAST to what I said above, or simply without any regard to it? It's unclear and may help others trying to follow along with our mutual attempts to help here.

/Charlie (troubleshooter, carehart.org)

Report · Apr 12, 2022

BKBK, can you please clarify if you are stating things in CONTRAST to what I said above, or simply without any regard to it?

By @Charlie Arehart

Neither. What I said is clear enough, I would imagine: "The way I see it, Adobe's ColdFusion Team is best placed to answer that. So I shall not comment, except to make a suggestion to fellow developers."

Report · Apr 12, 2022

If it was that clear, I wouldn't have asked.

/Charlie (troubleshooter, carehart.org)

Report · Apr 11, 2022

OK, thanks but would be nice if Adobe is offering entergrated Add ons that they are resonability current so the vulnerability scans do not show the components getting close to out of support. At least in the current major release level. Just initially needed to deal with security scan requesting that we patch to current release level 8.4 or newer. Just wanted to know if there was an option since it runs as an add on did not know if there was a different patching options outside the 'hotfix' process.

Report · Apr 12, 2022

Understood, John. And it's indeed unfortunate that Adobe has been silent on this thread, as only they can fix the engine as offered.

But you go on to say, "Just wanted to know if there was an option", and I offered you many, whether you want to keep and update or get rid of the features. Will you be trying any of them, or do you still feel at a loss on how best to proceed?

If the latter, please elaborate. As you can tell, I am trying sincerely to not leave you hanging. And you're not alone in the challenge, so others will be watching this thread, now or in the future.

/Charlie (troubleshooter, carehart.org)

Report · Sep 13, 2023

Charlie,

Thanks for explaining the options here. Our app doesn't use SOLR. Usually we just deselect it when installing CF. I have one test server that got it by mistake and I want to remove it. Will running uninstall on "Add-on Services" remove SOLR and only SOLR? I am just concerned that it may remove more than intended. Alternatively is there a way to remove it using cfpm.bat? My installed package list doesn't show anything that looks like SOLR.

Thanks,

Todd

Report · Sep 13, 2023

Todd, yes, you could uninstall that--which would offer to uninstall both the solr and pdfg (cfhtmltopdf) support in that.

Or those on cf2021 and above can indeed use cfpm, where it's the "search" (not solr) package you'd remove.

I appreciate that such things are not as obvious as they could be. I don't work for Adobe and can't make any improvements, so I help here and elsewhere as i can. 🙂

/Charlie (troubleshooter, carehart.org)

Report · Jul 13, 2023

@johnthomas may I ask how you were able to remediate this issue? I have a vulnerability scan result indicating Solr 7.2.1 is running.

Report · Jul 13, 2023

While you await hearing if John ever did remediate his issue (since his last reply here in Apr 2022), or in particular if he may not reply, I will point you to what I said in the first reply above. Those options would seem your only ones, for getting Solr on CF2021 to be later than 7.2.1 (which is still all it is, even as of having this week's CF2021 update 7 applied).

Or as BKBK shared also that week, there is a page of Apache-provided solr "tweaks" one can do to address vulns, without changing the version. That won't satisfy those with a mandate to get to a higher version, but it may help those sincerly wanting to "mitigate known Solr vulns".

Finally, to those who feel you "must do something" to get to a newer version, can you report if you are trying what I proposed orgiinally? I get that you may "prefer Adobe just handle it". BTW, they do in CF2023 at least (which came out in May): it now runs with Solr 8.11.2. Just no telling if/when they may update the Solr within CF2021. They never announce such things.

/Charlie (troubleshooter, carehart.org)

Report · Jul 13, 2023

Ended up uninstalling all the Add ins and went with SOLR install as stand alone. Hooks to ColdFusion not there but clear on scans and can manage the release and patching as they become available.

Would help if Adobe would treat the add ins as a component that needed to get managed with updates, since it does impact them when corporate/government scans show this as a component of Adobe/CF.

Report · Jul 13, 2023

Thanks for confirming, John. Glad you got things sorted. Installing that other Solr of your own was one of the original suggestions I'd made above. I've just tweaked that reply a bit to bold some points and add section numering there to help readers, and I also added how in switching to such a more recent Solr engine, you may have to (as you found) switch to using cfhttp to make calls to Solr, which is what the CF solr tags end up doing under the covers. And sometimes using cfhttp lets you do even MORE than CF provided.

Finally, I hope you won't mind that I edited your last response for some typos/grammatical errors. I have the capability to edit others' posts but I almost never do it, as some would be offended--even just for correcting clear mistakes. I took the chance this time, since I was going to reply here to you anyway.

/Charlie (troubleshooter, carehart.org)

Report · Jul 14, 2023

Our path will be to uninstall the "Add on services" as this particular instance does not make use of Solr.

Report · Jul 17, 2023

@ccsimmons_FAVER Have you visited this article - https://helpx.adobe.com/coldfusion/kb/upgrade-solr-security-coldfusion.html ?

Thanks,
Priyank Shrivastava

Report · Jul 18, 2023

This is the solution for this issue. I was able to upgrade Solr for ColdFusion 2021 with the help of the article above.

Report · Aug 15, 2023

We have applied the fix as listed above but still show up on the NESSUS scans. Is anyone else experiencing this issue? There is one step in those instructions that didnt apply to our Windows installs (step 1) since the /templates/conf dir doesn't exist off of SOLR_HOME on any of our 4 installs. We found the schema.xml file in the SOLR_HOME/conf folder NOT in the SOLR_HOME/templates/conf folder.

Report · Aug 16, 2023

Hi @DeW

Can you please check what version it is showing in Nessus Scan, if you have followed the steps and it is still showing the old version, then you need clear the extracted file. Go to \ColdFusion2021\cfusion\jetty\work and delete all the folders and restart the Add-on service.

Thanks,
Priyank Shrivastava

Report · Aug 16, 2023

Hi @DeW

Can you please check what version it is showing in Nessus Scan, if you have followed the steps and it is still showing the old version, then you need clear the extracted file. Go to \ColdFusion2021\cfusion\jetty\work and delete all the folders and restart the Add-on service.

Thanks,
Priyank Shrivastava

Report · Aug 16, 2023

Hi @Priyank Shrivastava. I appreciate the quick reply. I realized my issue was the location of SOLR_HOME, it is NOT \cfusion\jetty\solr but in fact \cfusion\jetty\multicore. This was my mistake, but could be made more clear in the update instructions. We had luck upgrading 1 of 3 of our servers, but SOLR wasn't being used on that server. Our other instances that were using SOLR heavily within their Coldfusion codebase are all reporting: "Unable to retrieve collections from the search collections from the Search Services AND Ensure that you have installed Coldfusion Search Service and it is running" When accessing the SOLR webpage @ http://host:8993/solr on the affected servers, there is an error message: "HTTP ERROR 404 java.servlet.UnavailableException: Error processing the request. CoreContainer is either not initialized or shutting down". We have tried reverting back to the previous version and have had no luck doing that either. We are now stuck, please help.

Adobe Community

Upgrade or patch for SOLR in ColdFusion 2021 to current

1 Correct answer