Solr^™ News¶

You may also read these news as an ATOM feed.

25 October 2024, Solr 8 reaches End-Of-Life ¶

With Lucene 10 having been released, and therefore Lucene 8 reaching EOL, the Apache Lucene and Solr PMCs are no longer able to provide new releases for Solr 8. Solr 8.11.4 will be the last release of Solr 8.

Users are strongly recommended to upgrade to Solr 9, and prepare for the soon-to-be-released Solr 10.

14 October 2024, CVE-2024-45216: Apache Solr: Authentication bypass possible using a fake URL Path ending ¶

Severity:
Critical

Versions Affected:

Apache Solr 5.3.0 before 8.11.4
Apache Solr 9.0.0 before 9.7.0

Description:
Improper Authentication vulnerability in Apache Solr.

Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass. A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the original URL Path. This fake ending looks like an unprotected API path, however it is stripped off internally after authentication but before API routing.

Mitigation:
Users are recommended to upgrade to version 9.7.0, or 8.11.4, which fix the issue.

Credit: Liu Huajin (reporter)

References:
JIRA - SOLR-17417
CVE - CVE-2024-45216

14 October 2024, CVE-2024-45217: Apache Solr: ConfigSets created during a backup restore command are trusted implicitly ¶

Severity:
Moderate

Versions Affected:

Apache Solr 6.6.0 before 8.11.4
Apache Solr 9.0.0 before 9.7.0

Description:

Insecure Default Initialization of Resource vulnerability in Apache Solr.

New ConfigSets that are created via a Restore command, which copy a configSet from the backup and give it a new name, are created without setting the "trusted" metadata. ConfigSets that do not contain the flag are trusted implicitly if the metadata is missing, therefore this leads to "trusted" ConfigSets that may not have been created with an Authenticated request. "trusted" ConfigSets are able to load custom code into classloaders, therefore the flag is supposed to only be set when the request that uploads the ConfigSet is Authenticated & Authorized.

Mitigation:
This issue affects Apache Solr: from 6.6.0 before 8.11.4, from 9.0.0 before 9.7.0. This issue does not affect Solr instances that are secured via Authentication/Authorization.

Users are primarily recommended to use Authentication and Authorization when running Solr. However, upgrading to version 9.7.0, or 8.11.4 will mitigate this issue otherwise.

Credit: Liu Huajin (reporter)

References:
JIRA - SOLR-17418
CVE - CVE-2024-45217

24 September 2024, Apache Solr™ 8.11.4 available ¶

The Lucene and Solr PMCs are pleased to announce the release of Apache Solr 8.11.4.

Solr is the blazing-fast, open source, multi-modal search platform built on Apache Lucene. It powers full-text, analytics, and geospatial search at many of the world's largest organizations. Other major features include Kubernetes and docker integration, streaming, highlighting, faceting, and spellchecking.

Solr 8.11.4 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 8.11.4 Release Highlights:

ConfigSets created during a backup restore command are no longer trusted implicitly
Removed the ability to bypass authentication using a fake URL path ending
The jetty-transport-classes-epoll jar has been added to the server lib directory

Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:

https://solr.apache.org/guide/8_11/solr-upgrade-notes.html

Please read CHANGES.txt for a full list of bugfixes:

https://solr.apache.org/docs/8_11_4/changes/Changes.html

Solr 8.11.4 also includes bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_11_4/changes/Changes.html

9 September 2024, Apache Solr™ 9.7.0 available ¶

The Solr PMC is pleased to announce the release of Apache Solr 9.7.0.

Solr is the blazing-fast, open source, multi-modal search platform built on Apache Lucene. It powers full-text, vector, analytics, and geospatial search at many of the world's largest organizations. Other major features include Kubernetes and docker integration, streaming, highlighting, faceting, and spellchecking.

The release is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 9.7.0 Release Highlights

DocValues enabled by default - Most fields/fieldTypes that support docValues will have them enabled by default in the latest schema version 1.7. This does not affect users who upgrade to this Solr version without updating their schema version.
New "vectorSimilarity" QParser for matching documents based on a minimum vector similarity threshold
Prometheus formatted metrics can now be exposed directly by Solr via ‘wt=prometheus’. There were improvements to the Prometheus Exporter as well.
Limits / guard-rails for short prefix queries and for too many fields.
Authentication improvements for the "MultiAuth" plugin. And the Subquery transformer now support basic auth.
Solr CLI adopts "kebab" formatting for long options. For example "-solrURL" becomes "--solr-url". Previous style commands continue to be supported in 9x and will be removed in 10x.
Solr CLI now supports all the ZooKeeper related operations that required the use of "zkcli.sh" including linkconfig, cluster, and updateacls commands.

Performance improvements:

Opt-in multithreaded search execution- Users can enable concurrent segment searching for reduced latency
Apache Lucene upgraded to 9.11.1 introducing tremendous performance improvements when using Java 21 for vector search among other things.
On Linux and Mac platforms with Java 21, MMapDirectory will now also use POSIX madvise for better paging and read-ahead of index files.
Reduced heap usage especially for high-core-count, high-field-count, high-thread-count cases for stored fields.
Async backup/restore and other operations scale to 100+ shards via tweaks to core asyncId caching.

There were more changes and details to read; that was just an editorialized summary.

Read CHANGES.txt for a detailed list of changes:

https://solr.apache.org/docs/9_7_0/changes/Changes.html

When upgrading, always read the upgrade notes:

https://github.com/apache/solr/blob/main/solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-9.adoc#solr-97

Thanks to all contributors:

David Smiley, Eric Pugh, Jason Gerlowski, hossman, Houston Putman, Pierre Salagnac, Christine Poerschke, Christos Malliaridis, Michael Gibney, Sanjay Dutt, Yohann Callea, janhoy, Liu Huajin, Andrey Bozhko, Lamine Idjeraoui, Ishan Chattopadhyaya, Mark Miller, noble, Gus Heck, Matthew Biscocho, Alexey Serba, Rafał Harabień, Eivind Bergstøl, Calvin Smith, Tomás Fernández Löbbe, @charlygrappa, Alastair Porter, ellaeln, Patson Luk, Vinayak Hegde, Kevin Risden, Rudy Seitz, @hgdharold, Bostoi, Torsten Bøgh Köster, Hakan Özler, Andy Webb, Stephen Woods, Anshum Gupta

29 May 2024, Apache Solr™ 9.6.1 available ¶

The Solr PMC is pleased to announce the release of Apache Solr 9.6.1.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Solr project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 9.6.1 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 9.6.1 Release Highlights:

Core loading at startup is no longer capped at 60 seconds
Replicas are ensured to be marked as down when a Solr node is started
'Illegal character in query' exception in the new HttpJdkSolrClient has been fixed
Performance regression for aliases in SolrJ has been fixed via partially reverting a recent change
Fixed debugging of Rerank Queries when reRankScale is used
System file separator is now used in CachingDirectoryFactory, instead of '/', fixing a regression on Windows

Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:

https://solr.apache.org/guide/solr/9_6/upgrade-notes/solr-upgrade-notes.html

Please read CHANGES.txt for a full list of bugfixes:

https://solr.apache.org/9_6_1/changes/Changes.html

Thanks to all contributors!

hossman, Houston Putman, Jan Høydahl, Andy Webb, Christine Poerschke, Aparna Suresh, David Smiley, Vincent Primault

27 April 2024, Apache Solr™ 9.6.0 available ¶

The Solr PMC is pleased to announce the release of Apache Solr 9.6.0.

Solr 9.6.0 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 9.6.0 Release Highlights:

Solrj now offers a lightweight client based on java.net.http.HttpClient: HttpJdkSolrClient
SolrJ now offers an improved async request API
Inactive shards (from splits) can now be cleaned up periodically
Distributed (sharded) IDF can be disabled via request parameter
Query timeouts (limits) may now be based on either CPU time as well as wall clock
Upgraded Lucene to 9.10.0
bin/solr post now supports --dry-run mode.

Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:

https://solr.apache.org/guide/solr/9_6/upgrade-notes/solr-upgrade-notes.html

Please read CHANGES.txt for a full list of new features, changes and bugfixes:

https://solr.apache.org/9_6_0/changes/Changes.html

Thanks to all contributors!

hossman, David Smiley, Michael Gibney, Paul McArthur, Jan Høydahl, James Dyer, Eric Pugh, Andrey Bozhko, Andrzej Bialecki, Rahul Goswami, Bruno Roustant, Jason Gerlowski, Sanjay Dutt, Vincent Primault, Christine Poerschke, Gus Heck, Shawn Heisey, Vincenzo D'Amore, Yohann Callea, Julien Pilourdault, Wei Wang, Mikhail Khludnev, Antoine Bursaux, Rishi Sankar, Pierre Salagnac, Aparna Suresh, Alessandro Benedetti, Mathieu Marie, Przemyslaw Ciezkowski

12 April 2024, CVE-2024-31391: Solr-Operator liveness and readiness probes may leak basic auth credentials ¶

Severity:
Moderate

Versions Affected:
Solr Operator 0.3.0 to 0.8.0

Description: Insertion of Sensitive Information into Log File vulnerability in the Apache Solr Operator.

The Solr sked to bootstrap Solr security, the operator will enable basic authentication and create several accounts for accessing Solr: including the "solr" and "admin" accounts for use by end-users, and a "k8s-oper" account which the operator uses for its own requests to Solr. One common source of these operator requests is healthchecks: liveness, readiness, and startup probes are all used to determine Solr's health and ability to receive traffic. By default, the operator configures the Solr APIs used for these probes to be exempt from authentication, but users may specifically request that authentication be required on probe endpoints as well. Whenever one of these probes would fail, if authentication was in use, the Solr Operator would create a Kubernetes "event" containing the username and password of the "k8s-oper" account.

Within the affected version range, this vulnerability affects any solrcloud resource which (1) bootstrapped security through use of the .solrOptions.security.authenticationType=basic option, and (2) required authentication be used on probes by setting .solrOptions.security.probesRequireAuth=true.

Mitigation: Users are recommended to upgrade to Solr Operator version 0.8.1, which fixes this issue by ensuring that probes no longer print the credentials used for Solr requests. Users may also mitigate the vulnerability by disabling authentication on their healthcheck probes using the setting .solrOptions.security.probesRequireAuth=false.

References:
JIRA - SOLR-17216
CVE - CVE-2024-31391

12 February 2024, Apache Solr™ 9.5.0 available ¶

The Solr PMC is pleased to announce the release of Apache Solr 9.5.0.

Solr 9.5.0 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 9.5.0 Release Highlights:

Solr now supports "node-level" Memory and CPU circuit breakers, that serve as a default inherited by all cores on that node.
Collection and Replica Properties may now be used as property substitution variables in configuration files (e.g. solrconfig.xml).
Solr now auto-reloads updated keystore and truststore files when TLS is enabled.
Tracing support has received a number of quality-of-life improvements, including improved tracking of distributed collection commands and increased coverage for internal requests made with the Apache and Jetty HTTP clients.
Solr now offers the <clusterSingleton> solr.xml tag as a means of configuring node-level plugins in an "immutable infrastructure"-friendly way. This offers an alternative to using the /cluster/plugins API for managing plugins in "live" clusters.
Starting with 9.5.0, Solr releases now produce an OpenAPI specification covering many of their v2 APIs. Consumers may use this spec with an array of OpenAPI-compatible tooling to generate documentation, clients in various programming languages, etc. See https://www.openapis.org/what-is-openapi for more details.

Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:

https://solr.apache.org/guide/solr/9_5/upgrade-notes/solr-upgrade-notes.html

Please read CHANGES.txt for a full list of new features, changes and bugfixes:

https://solr.apache.org/9_5_0/changes/Changes.html

8 February 2024, Apache Solr™ 8.11.3 available ¶

The Lucene and Solr PMCs are pleased to announce the release of Apache Solr 8.11.3.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.11.3 is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Solr 8.11.3 Release Highlights:

Security

Converted enableRemoteStreaming and enableStreamBody solrconfig options into system properties and env vars.
Restrict certain file types from being uploaded to or downloaded from Config Sets
ZK Credentials and ACLs are no longer sent to all ZK Servers when using Streaming Expressions. They will only be used when sent to the default ZK Host.
Schema Designer now correctly manages trust of the ConfigSets it is managing.
More sysProps are redacted in the UI by default.
Upgrades of various client libraries, including Jetty, Tika, Netty and Calcite.

Bugfixes

TLOGs on TLOG replicas no longer grow continuously.
Various fixes for clusters using PRS.
Collection RENAME api no longer creates broken alias.
Using Schema/Config API no longer breaks the File-Upload of Config Set File.
Fixed NPE in FieldLengthFeature with non-stored/missing fields.
HEAD request for managed resource no longer returns 500 Server Error.

Features

AWS STS support has been added for the s3-repository module.
Node roles and dedicated query coordinator nodes have been added.

Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:

https://solr.apache.org/guide/8_11/solr-upgrade-notes.html

Please read CHANGES.txt for a full list of bugfixes:

https://solr.apache.org/docs/8_11_3/changes/Changes.html

Solr 8.11.3 also includes bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_11_3/changes/Changes.html

8 February 2024, CVE-2023-50291: Apache Solr can leak certain passwords due to System Property redaction logic inconsistencies ¶

Severity:
Moderate

Versions Affected:

Apache Solr 6.0.0 through 8.11.2
Apache Solr 9.0.0 before 9.3.0

Description:
Insufficiently Protected Credentials vulnerability in Apache Solr.

This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0. One of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had "password" contained in the name. There are a number of sensitive system properties, such as "basicauth" and "aws.secretKey" do not contain "password", thus their values were published via the "/admin/info/properties" endpoint. This endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.

This /admin/info/properties endpoint is protected under the "config-read" permission. Therefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the "config-read" permission. Users are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue. A single option now controls hiding Java system property for all endpoints, "-Dsolr.hiddenSysProps". By default all known sensitive properties are hidden (including "-Dbasicauth"), as well as any property with a name containing "secret" or "password".

Users who cannot upgrade can also use the following Java system property to fix the issue:
-Dsolr.redaction.system.pattern=".*(password|secret|basicauth).*"

Mitigation:
Users are recommended to upgrade to version 8.11.3, 9.3.0 or later, which has consistent systemProperty redaction logic.

Credit: Michael Taggart (reporter)

References:
JIRA - SOLR-16809
CVE - CVE-2023-50291

8 February 2024, CVE-2023-50292: Apache Solr Schema Designer blindly "trusts" all configsets, possibly leading to RCE by unauthenticated users ¶

Severity:
Moderate

Versions Affected:

Apache Solr 6.0.0 through 8.11.2
Apache Solr 9.0.0 before 9.3.0

Description:
Incorrect Permission Assignment for Critical Resource, Improper Control of Dynamically-Managed Code Resources vulnerability in Apache Solr.

This issue affects Apache Solr: from 8.10.0 through 8.11.2, from 9.0.0 before 9.3.0.

The Schema Designer was introduced to allow users to more easily configure and test new Schemas and configSets. However, when the feature was created, the "trust" (authentication) of these configSets was not considered. External library loading is only available to configSets that are "trusted" (created by authenticated users), thus non-authenticated users are unable to perform Remote Code Execution. Since the Schema Designer loaded configSets without taking their "trust" into account, configSets that were created by unauthenticated users were allowed to load external libraries when used in the Schema Designer.

Mitigation:
Users are recommended to upgrade to version 8.11.3, 9.3.0 or later.

Credit: Skay (reporter)

References:
JIRA - SOLR-16777
CVE - CVE-2023-50292

8 February 2024, CVE-2023-50298: Apache Solr can expose ZooKeeper credentials via Streaming Expressions ¶

Severity:
Low

Versions Affected:

Apache Solr 6.0.0 through 8.11.2
Apache Solr 9.0.0 before 9.4.1

Description:
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1.

Solr Streaming Expressions allows users to extract data from other Solr Clouds, using a "zkHost" parameter. When original SolrCloud is setup to use ZooKeeper credentials and ACLs, they will be sent to whatever "zkHost" the user provides. An attacker could setup a server to mock ZooKeeper, that accepts ZooKeeper requests with credentials and ACLs and extracts the sensitive information, then send a streaming expression using the mock server's address in "zkHost". Streaming Expressions are exposed via the "/streaming" handler, with "read" permissions.

Mitigation:
Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue. From these versions on, only zkHost values that have the same server address (regardless of chroot), will use the given ZooKeeper credentials and ACLs when connecting.

Credit: Qing Xu (reporter)

References:
JIRA - SOLR-17098
CVE - CVE-2023-50298

8 February 2024, CVE-2023-50386: Apache Solr: Backup/Restore APIs allow for deployment of executables in malicious ConfigSets ¶

Severity:
Moderate

Versions Affected:

Apache Solr 6.0.0 through 8.11.2
Apache Solr 9.0.0 before 9.4.1

Description:
Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1.

In the affected versions, Solr ConfigSets accepted Java jar and class files to be uploaded through the ConfigSets API. When backing up Solr Collections, these configSet files would be saved to disk when using the LocalFileSystemRepository (the default for backups). If the backup was saved to a directory that Solr uses in its ClassPath/ClassLoaders, then the jar and class files would be available to use with any ConfigSet, trusted or untrusted.

When Solr is run in a secure way (Authorization enabled), as is strongly suggested, this vulnerability is limited to extending the Backup permissions with the ability to add libraries.

Mitigation:
Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue. In these versions, the following protections have been added:

Users are no longer able to upload files to a configSet that could be executed via a Java ClassLoader.
The Backup API restricts saving backups to directories that are used in the ClassLoader.

Credit: L3yx (reporter)

References:
JIRA - SOLR-16949
CVE - CVE-2023-50386

18 January 2024, Apache Solr™ 9.4.1 available ¶

The Solr PMC is pleased to announce the release of Apache Solr 9.4.1.

Solr 9.4.1 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 9.4.1 Release Highlights:

A big regression to the JSON Query API in 9.4 is primarily what prompted this release. Additionally, some security oriented improvements/fixes have been added, and many transitive dependencies have been upgraded.

Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:

https://solr.apache.org/guide/solr/9_4/upgrade-notes/solr-upgrade-notes.html

Please read CHANGES.txt for a full list of bugfixes:

https://solr.apache.org/9_4_1/changes/Changes.html

12 January 2024, CVE-2023-50290: Apache Solr allows read access to host environment variables ¶

Severity:
Important

Versions Affected:
Solr 9.0 to 9.2.1

Description:
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr. The Solr Metrics API publishes all unprotected environment variables available to each Apache Solr instance. Users are able to specify which environment variables to hide, however, the default list is designed to work for known secret Java system properties. Environment variables cannot be strictly defined in Solr, like Java system properties can be, and may be set for the entire host, unlike Java system properties which are set per-Java-process.

The Solr Metrics API is protected by the "metrics-read" permission. Therefore, Solr Clouds with Authorization setup will only be vulnerable via users with the "metrics-read" permission.

Mitigation:
Users are recommended to upgrade to version 9.3.0 or later, in which environment variables are not published via the Metrics API.

References:
JIRA - SOLR-15233
CVE - CVE-2023-50290

15 October 2023, Apache Solr™ 9.4.0 available ¶

The Solr PMC is pleased to announce the release of Apache Solr 9.4.0.

Solr 9.4.0 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 9.4.0 Release Highlights:

The Lucene version used by Solr has been upgraded to 9.8 – see its release notes.
The Jetty version has been updated to 10.0.17 to address CVE-2023-44487
Added support for node-level caches
Circuit Breakers available for Update Requests
A new Circuit breaker for percentage of CPU utilization is added. The former "CPU" circuit breaker is now more correctly named LoadAverageCircuitBreaker as it trips on system load average which is not a percentage.
Solr now includes an always-on trace id generator. This will inject trace id headers for every Solr request, propagating the client supplied value or generating a new id as needed and replaces the existing rid mechanism.
Solr now limits the number of concurrent expensive core operations (such as "backup", "restore", and "split") that are submitted asynchronously by running them in a dedicated thread pool.
Added support of OAuth 2.0/OIDC 'code with PKCE' flow
Multiple bug fixes for TLS and mTLS

Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:

https://solr.apache.org/guide/solr/9_4/upgrade-notes/solr-upgrade-notes.html

Please read CHANGES.txt for a full list of new features, changes and bugfixes:

https://solr.apache.org/9_4_0/changes/Changes.html

21 July 2023, Apache Solr™ 9.3.0 available ¶

The Solr PMC is pleased to announce the release of Apache Solr 9.3.0.

Solr 9.3.0 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 9.3.0 Release Highlights:

The Lucene version used by Solr has been upgraded to 9.7.
Solr releases now have a slim variant, both for the binary release and the docker image.
- The Slim variant is the same as the normal variant, except that it does not include Solr modules or the Prometheus exporter.
Vector Search
- Added support for byte vector encoding in DenseVectorField and KnnQParser
- High dimensional vectors are now supported in Solr
- Solr can now take advantage of SIMD optimizations for Vector calculations, when run with Java 20 or 21.
- A new "vectorSimilarity" function query has been added to calculate similarity scores for DenseVectorFields
Solr now provides an "Install Shard" API to allow users who have built (per-shard) indices offline to import them into SolrCloud shards.
Solr’s experimental "v2" API has seen a number of improvements in the 9.3 release.
- It is now approaching parity with the functionality offered by Solr’s v1 API.
- The v2 API as a whole is being redesigned to be more REST-ful and intuitive
  See the Changelog and upgrade notes for information on which v2 APIs have backward-incompatible changes.
New APIs for MigrateReplicas and BalanceReplicas. These work out-of-the-box with the built-in PlacementPlugins.
- The AffinityPlacementPlugin now supports co-location of shards between collections, using the "withCollectionShards" parameter.
Join Queries may handle equally sharded collections on both sides.
- Collections shards should be collocated via AffinityPlacementPlugin.withCollectionShards
- This operation doesn't support SplitShard
Unknown cores are no longer deleted by default when Solr starts. Use "solr.deleteUnknownCores=true" to use the previous behavior.
Warning: Solr cannot be used with Java 20 on MacOS with the Java Security Manager.
Please use the environment variable SOLR_SECURITY_MANAGER_ENABLED=false when running with Java 20 on MacOS.

Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:

https://solr.apache.org/guide/solr/9_3/upgrade-notes/solr-upgrade-notes.html

Please read CHANGES.txt for a full list of new features, changes and bugfixes:

https://solr.apache.org/9_3_0/changes/Changes.html

1 May 2023, Apache Solr™ 9.2.1 available ¶

The Solr PMC is pleased to announce the release of Apache Solr 9.2.1.

Solr 9.2.1 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 9.2.1 Release Highlights:

Fix Classloading Exception for inter-node requests when using SSL and HTTP2
Use the right cluster property for displaying if TLS is enabled
Fix NPE in SystemInfoHandler for inter-node requests that would cause the Nodes page not to load
Fixing bin/solr's '-noprompt' option to work for examples
Allow custom configuration of Jetty's SecureRequestCustomizer
Fix KerberosPlugin module classloading when using the hadoop-auth module
Fixing SOLR_DATA_HOME to be honored outside of verbose mode
Use the correct instance of ReponseParser for Http2SolrClient.processErrorsAndResponse
Fix Java version detection when _JAVA_OPTIONS is set`

Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:

https://solr.apache.org/guide/solr/9_2/upgrade-notes/solr-upgrade-notes.html

Please read CHANGES.txt for a full list of bugfixes:

https://solr.apache.org/9_2_1/changes/Changes.html

24 March 2023, Apache Solr™ 9.2.0 available ¶

The Solr PMC is pleased to announce the release of Apache Solr 9.2.0.

Solr 9.2.0 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 9.2.0 Release Highlights:

Solr has upgraded to use Jetty 10 instead of Jetty 9.
Solr now includes an opentracing module, with support for OTEL tracing in OTLP format using gRPC.
- This module is meant to replace the jaegertracer-configurator module, which has been deprecated.
The base operating system of the Solr Docker image has been upgraded to Ubuntu 22 (Jammy).
Streaming Expressions have been moved out of Solrj core into its own module called solrj-streaming.
SolrJ Solr clients now use a builder/setter pattern to enable easier setup.
Solr ConfigSet management has been optimized to improve the startup time of nodes with multiple replicas.
SolrJ can again be used with the default Java truststore.
The "Films" example has been updated to demonstrate Dense Vector search.

Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:

https://solr.apache.org/guide/solr/9_2/upgrade-notes/solr-upgrade-notes.html

Please read CHANGES.txt for a full list of new features, changes and bugfixes:

https://solr.apache.org/9_2_0/changes/Changes.html

25 January 2023, Apache Solr™ 9.1.1 available ¶

The Solr PMC is pleased to announce the release of Apache Solr 9.1.1.

Solr 9.1.1 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 9.1.1 Release Highlights:

Bugfixes

SOLR-16589: Fixed issue where large fields with large=true could be truncated when using unicode values
SOLR-16585: Fixed NPE when paginating MatchAllDocs with non-zero start offset, like q=*:*&start=10
SOLR-16165: Fixed rare deadlock in SlotAcc static initialization
SOLR-16622: Fixed issue where replicas could fail to register as active after node restart

Other

SOLR-16443: Upgrade Jackson bom to 2.13.4.20221013
SOLR-16568: Upgrade woodstox-core to 6.4.0
SOLR-16598: Upgrade Protobuf to 3.21.12
SOLR-16567: Fixed problem with filtering and KNN search, especially when using post-filters
SOLR-16588: Fixed problem with default knn algorithm
SOLR-16480: ConfigSets now have an overridable allow-list for filetypes

Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:

https://solr.apache.org/guide/solr/9_1/upgrade-notes/solr-upgrade-notes.html

Please read CHANGES.txt for a full list of bugfixes:

https://solr.apache.org/9_1_1/changes/Changes.html

20 November 2022, Apache Solr is vulnerable to CVE-2022-39135 via /sql handler ¶

Versions Affected:
Solr 6.5 to 8.11.2 Solr 9.0

Description:
Apache Calcite has a vulnerability, CVE-2022-39135, that is exploitable in Apache Solr in SolrCloud mode. If an untrusted user can supply SQL queries to Solr’s “/sql” handler (even indirectly via proxies / other apps), then the user could perform an XML External Entity (XXE) attack. This might have been exposed by some deployers of Solr in order for internal analysts to use JDBC based tooling, but would have unlikely been granted to wider audiences.

Impact:
An XXE attack may lead to the disclosure of confidential data, denial of service, server side request forgery (SSRF), port scanning from the Solr node, and other system impacts.

Mitigation:
Most Solr installations don’t make use of the SQL functionality. For such users, the standard Solr security advice of using a firewall should be adequate. Nonetheless, the functionality can be disabled. As of Solr 9, it has been modularized and thus became opt-in, so nothing is needed for Solr 9 users that don’t use it. Users not using SolrCloud can’t use the functionality at all. For other users that wish to disable it, you must register a request handler that masks the underlying functionality in solrconfig.xml like so:

  <requestHandler name="/sql" class="solr.NotFoundRequestHandler"/>

Users needing this SQL functionality are forced to upgrade to Solr 9.1. If Solr 8.11.3 is released, then it will be an option as well. Simply replacing Calcite and other JAR files may mostly work but could fail depending on the particulars of the query. Users interested in this or in patching their own versions of Solr should examine SOLR-16421 for a source patch.

Credit:
Andreas Hubold at CoreMedia GmbH

References:
JIRA - SOLR-16421
CVE - CVE-2022-39135

17 November 2022, Apache Solr™ 9.1.0 available ¶

The Solr PMC is pleased to announce the release of Apache Solr 9.1.0.

Solr 9.1.0 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 9.1.0 Release Highlights:

Dedicated query coordinator nodes in a Solr cluster
Improvements to admin UI: managing paramsets in queries, managing field types, replica types while collection creation, etc.
Support for rolling up core level metrics to be node level metrics

Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:

https://solr.apache.org/guide/solr/9_1/upgrade-notes/solr-upgrade-notes.html

Please read CHANGES.txt for a full list of new features, changes and bugfixes:

https://solr.apache.org/9_1_0/changes/Changes.html

21 October 2022, Java 17 bug affecting Solr ¶

Several users running Solr in production on OpenJDK 17 have experienced JVM crashes due to a known bug in the JDK. Read more about the bug in SOLR-16463.

Known mitigations are to either downgrade to JDK 11 or to start Solr with a Java startup flag that avoids the failure condition. Here is how to manually apply the flag:

Edit your solr.in.sh or solr.in.cmd file to set the SOLR_OPTS environment variable as follows:

Linux:

SOLR_OPTS=-XX:CompileCommand=exclude,com.github.benmanes.caffeine.cache.BoundedLocalCache::put

Windows:

SET SOLR_OPTS=-XX:CompileCommand=exclude,com.github.benmanes.caffeine.cache.BoundedLocalCache::put

Alternatively, you can inject the same flag with the -a argument, e.g:

bin/solr -a "-XX:CompileCommand=exclude,com.github.benmanes.caffeine.cache.BoundedLocalCache::put"

If you run Solr 9 with the official Docker image, we have already pushed an updated Docker image to Docker Hub that will inject the flag for you. Just pull the image again to get it. The Docker image uses the -a option to set this java flag when running Solr, so if you are using the -a option you will need to provide the JVM flag mentioned above in addition to the other flags you are setting.

20 October 2022, Solr 8 Docker image changes to Eclipse Temurin JDK ¶

The official docker image for Solr 8.11 has been running on Oracle OpenJDK 11 JRE. However, due to Oracle's new release policies, they now no longer provide support for JDK11. Since Solr 8.11 is still being supported by the Apache Solr project, we needed to switch to another OpenJDK vendor with JDK11 support. We chose Eclipse Temurin from the Adoptium project. This is the same vendor as we use for our Solr 9 image, and their JDK11 support lasts until October 2024.

Users should be aware that on your next docker pull solr:8.11.2 you will be upgraded. For most users there will be no issues, as it is mainly a new distribution of the same upstream OpenJDK version. However, if you use our image as base image and rely on specific tools to be present, you may need to adapt. While openjdk:11-jre uses Debian GNU/Linux 11 (bullseye), the eclipse-temurin:11-jre-focal image uses Ubuntu 20.04.5 LTS (Focal Fossa).

Furthermore, there is now no difference between the solr:11-jre and solr:11-jre-slim images, because our new vendor only offers one variant which is fairly slim already.

20 October 2022, Solr Docker images now pin the Linux release ¶

Solr 9 was released on May 12th, using the eclipse-temurin:17-jre base image. Thus, we are pinned to Java 17 and Solr's Docker image will thus always use an updated Java 17 version. If you pull the docker image from time to time that is.

However, the base image tag 17-jre did not give us pinning to a specific Ubuntu Linux major release. At the time of Solr 9 release on May 12th it would pull Ubuntu 20.04 (Focal Fossa), but at the end of May, it was auto upgraded to the brand new Ubuntu 22.04 (Jammy Jellyfish). This was not our desire, and we have learnt that due to this, our image is no longer compatible with Docker client versions before 20.10.16. Having a "floating" linux release like this can also break the image in other subtle ways, as well as breaking downstream images using us as a base image.

We therefore decided to start pinning not only Java release, but also Linux release in our official Docker images. This means that Solr 9.0 is once again based on Ubuntu 20.04 Focal, i.e. a downgrade.

Note that our images will still receive important Linux bug fixes from time to time, but you won't get them unless you re-pull the image. When we upgrade to Ubuntu 22.04 in the future, it will be a deliberate decision and not by accident.

17 June 2022, Apache Solr™ 8.11.2 available ¶

The Lucene and Solr PMCs are pleased to announce the release of Apache Solr 8.11.2.

Solr 8.11.2 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 8.11.2 Release Highlights:

Security

SOLR-15871: Update Log4J to 2.17.1
SOLR-15961: Fix bug in PKIAuthenticationPlugin that can cause a request to fail with 401 Unauthorized instead of re-fetching expired remote keys from other nodes.
SOLR-14569: Configuring a shardHandlerFactory on the /select requestHandler results in HTTP 401 when searching on alias in secured Solr.
SOLR-16022: Enforce special character requirements on passwords with length less than 15
SOLR-16075: ShowFileHandler path parameter is now validated to be relative to instance conf dir in standalone mode

Bugfixes

SOLR-15849: Fix the connection reset problem caused by the incorrect use of 4LW with \n when monitoring zooKeeper status
SOLR-16199: Improve query syntax construction for SQL LIKE clause with phrases and wildcards
SOLR-16143: SolrConfig can miss updates from ZooKeeper when deleting and recreating file items

Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:

https://solr.apache.org/guide/8_11/solr-upgrade-notes.html

Please read CHANGES.txt for a full list of bugfixes:

https://solr.apache.org/docs/8_11_2/changes/Changes.html

Solr 8.11.2 also includes bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_11_2/changes/Changes.html

12 May 2022, Apache Solr™ 9.0.0 available ¶

The Solr PMC is pleased to announce the release of Apache Solr 9.0.0.

Solr 9.0.0 is available for immediate download at:

https://solr.apache.org/downloads.html

This is a major-version release with breaking changes. The highlights below is not the full list. Please consult the "Solr Upgrade Notes" when planning an upgrade:

https://solr.apache.org/guide/solr/9_0/upgrade-notes/solr-upgrade-notes.html

Solr 9.0.0 Release Highlights:

Minimum Java version supported: Java 11
Powered by Lucene 9.0, with numerous small and large improvements, such as smaller index footprint.

Querying and Indexing

Dense Vector "Neural" Search through DenseVectorField fieldType and K-Nearest-Neighbor (KNN) Query Parser.
Admin UI support for SQL Querying.
New snowball stemmers: Hindi, Indonesian, Nepali, Serbian, Tamil, and Yiddish.
New NorwegianNormalizationFilter.

Security

Certificate Authentication Plugin lets you authenticate with x509 client certificates.
Upgrade to Zookeeper 3.7, allowing for TLS protected ZK communication.
All request handlers support security permissions for authorization.
Solr now runs with the Java security manager enabled by default.
Solr embedded zookeeper only binds to localhost by default.
A lot of dependency updates make Solr much more secure.

Stability and Scalability

Rate limiting provides a way to throttle update and search requests based on usage metrics.
Task management interface allows declaring tasks as cancellable and trackable.
Ability to specify node roles in Solr. This release supports 'Overseer' and 'Data' roles.
Support for distributed processing of cluster state updates and collection API calls without relying on the Overseer.

Build and Docker

Solr is now built and released independently of Apache Lucene (separate Apache projects).
Build system switched to Gradle from Ant + Ivy.
Docker image creation is now a part of the Apache Solr Github repo.
Docker image documentation is now a part of the reference guide.
Official Docker image upgraded to use JDK17 (by Eclipse Temurin) and ability to create a local image that is functionally identical to the official one.

Deprecations and Removals

The Data Import Handler (DIH) is an independent project now; it is no longer a part of Solr.
No more support for clusterstate.json and MIGRATESTATE API has been removed. If your collections use clusterstate.json, please refer to the Upgrade Notes.
Auto scaling framework has been removed. Please refer to the new Replica Placement Plugins for alternate options.
LegacyBM25SimilarityFactory has been removed.
VelocityResponseWriter is an independent project now; it is no longer a part of Solr. This encompasses all previously included /browse and wt=velocity examples.
Legacy SolrCache implementations (LRUCache, LFUCache, FastLRUCache) have been removed. Users should modify their existing configurations to use CaffeineCache instead.
Cross Data Center Replication has been removed.
SolrJ clients like HttpSolrClient and LBHttpSolrClient that lacked HTTP2 support have been deprecated. The old CloudSolrClient has been renamed as CloudLegacySolrClient and deprecated.
SimpleFSDirectoryFactory is removed in favor of NIOFSDirectoryFactory.

Other

Contrib modules are now just "modules". You can easily enable module(s) through environment variable SOLR_MODULES.
Features lifted out as separate modules are: HDFS, Hadoop-Auth, SQL, Scripting, and JWT-Auth.
The "dist" folder in the release is gone. Module jars are now inside respective module's lib/ folder.
SolrJ class CloudSolrClient now supports HTTP2. It has a new Builder. See CloudLegacySolrClient for the 8.x version of this class
Jetty Request log is now enabled by default, i.e. logging every request.

Please read CHANGES.txt for a full list of new features, changes and bugfixes:

https://solr.apache.org/9_0_0/changes/Changes.html

18 December 2021, CVE-2021-44548: Apache Solr information disclosure vulnerability through DataImportHandler ¶

Severity:
Moderate

Versions Affected:
All versions prior to 8.11.1. Affected platforms: Windows.

Description:
An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in:

The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes),
In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution

This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.

Mitigation:
Upgrade to Solr 8.11.1, and/or ensure only trusted clients can make requests to Solr's DataImport handler.

Credit:
Apache Solr would like to thank LaiHan of Nsfocus security team for reporting the issue

References:
Jira issue SOLR-15826

16 December 2021, Apache Solr™ 8.11.1 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.11.1.

Solr 8.11.1 is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Solr 8.11.1 Release Highlights:

Security

Updates bundled log4j2 dependencies to address CVE-2021-44228 (SOLR-15843)
Upgrade jaegertracing to 1.6.0 and libthrift to 0.14.1 to address CVE-2020-13949 (SOLR-15324)

Bugfixes

Fixes to the new Admin UI Security and Schema Designer screens (SOLR-15825, SOLR-15774 and SOLR-15813)
Fix regression in 8.11.0 for the Admin UI Files screen and Velocity (SOLR-15804)
Admin endpoints for Zookeeper now by default protected by zk_read permission (SOLR-15768)
Better default security.json uploaded by bin/solr tool (SOLR-15828)
Switching a PRS collection from true -> false -> true resulted in INACTIVE replicas (SOLR-15794)
Fix REPLACENODE to not use source node when choosing a target node (SOLR-15795)
Fix NPE in pivot facets, add non-Analyzed query method in FieldType (SOLR-8319)
Upgrade Velocity from to v2.3 and Velocity Tools to v3.1 (SOLR-15844)
..and more

Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:

https://solr.apache.org/guide/8_11/solr-upgrade-notes.html

Please read CHANGES.txt for a full list of bugfixes:

https://solr.apache.org/docs/8_11_1/changes/Changes.html

10 December 2021, Apache Solr affected by Apache Log4J CVE-2021-44228 ¶

Severity: Critical

Versions Affected: 7.4.0 to 7.7.3, 8.0.0 to 8.11.0

Description: Apache Solr releases prior to 8.11.1 were using a bundled version of the Apache Log4J library vulnerable to RCE. For full impact and additional detail consult the Log4J security page.

Apache Solr releases prior to 7.4 (i.e. Solr 5, Solr 6, and Solr 7 through 7.3) use Log4J 1.2.17 which may be vulnerable for installations using non-default logging configurations that include the JMS Appender, see https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 for discussion.

Solr's Prometheus Exporter uses Log4J as well but it does not log user input or data, so we don't see a risk there.

Solr is not vulnerable to the followup CVE-2021-45046 and CVE-2021-45105. A listing of these and other CVEs with some justifications are listed in Solr's wiki: https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools

Mitigation: Any of the following are enough to prevent this vulnerability for Solr servers:

Upgrade to Solr 8.11.1 or greater (when available), which will include an updated version (>= 2.16.0) of the Log4J dependency.
If you are using Solr's official docker image, it has already been mitigated in all versions listed as supported on Docker Hub: https://hub.docker.com/_/solr. You may need to re-pull the image.
Manually update the version of Log4J on your runtime classpath and restart your Solr application.
(Linux/MacOS) Edit your solr.in.sh file to include: SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"
(Windows) Edit your solr.in.cmd file to include: set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true
Follow any of the other mitgations listed at https://logging.apache.org/log4j/2.x/security.html

The Log4J security page refers to setting log4j2.formatMsgNoLookups=true as a "discredited" mitigation. In reality, it depends. We've looked at the root cause and audited the code paths that lead to the vulnerability, and we feel confident in this mitigation being sufficient for Solr. See https://lists.apache.org/thread/kgh63sncrsm2bls884pg87mnt8vqztmz for discussion.

References: https://logging.apache.org/log4j/2.x/security.html

16 November 2021, Apache Solr™ 8.11.0 available ¶

The Solr PMC is pleased to announce the release of Apache Solr 8.11.0.

Solr 8.11.0 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 8.11.0 Release Highlights:

Security

MultiAuthPlugin (for authentication) and MultiAuthRuleBasedAuthorizationPlugin (for authorization) classes to support multiple authentication schemes, such as Bearer and Basic. This allows the Admin UI to use OIDC (JWTAuthPlugin) to authenticate users while still supporting Basic authentication for command-line tools and the Prometheus exporter.

A summary of important changes is published in the Solr Reference Guide at https://solr.apache.org/guide/8_11/solr-upgrade-notes.html.

For the most exhaustive list, see the full release notes at https://solr.apache.org/8_11_0/changes/Changes.html or by viewing the CHANGES.txt file accompanying the distribution.

Solr's release notes usually don't include Lucene layer changes. Lucene's release notes are at https://lucene.apache.org/core/8_11_0/changes/Changes.html

18 October 2021, Apache Solr™ 8.10.1 available ¶

The Solr PMC is pleased to announce the release of Apache Solr 8.10.1.

Solr 8.10.1 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 8.10.1 Release Highlights:

Dependencies upgrades

Upgrade httpclient and httpmime to 4.5.13 (SOLR-15269)
Upgrade the following dependencies with vulnerabilities (SOLR-15677)
jetty: 9.4.44.v20210927
tika: 1.27
commons-compress: 1.21
netty: 4.1.68.Final
fasterxml.jackson: 2.12.3
errorprone: 2.9.0
gcp-client: 1.32.1

A summary of important changes is published in the Solr Reference Guide at https://solr.apache.org/guide/8_10_1/solr-upgrade-notes.html.

For the most exhaustive list, see the full release notes at https://solr.apache.org/8_10_1/changes/Changes.html or by viewing the CHANGES.txt file accompanying the distribution.

Solr's release notes usually don't include Lucene layer changes. Lucene's release notes are at https://lucene.apache.org/core/8_10_1/changes/Changes.html

27 September 2021, Apache Solr™ 8.10.0 available ¶

The Solr PMC is pleased to announce the release of Apache Solr 8.10.0.

Solr 8.10.0 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 8.10.0 Release Highlights:

Backup / Restore

Backup / restore to / from Amazon S3 (SOLR-15089); included upgrading the AWS SDK to v2 (SOLR-15599)

Schema Designer UI

A new Admin UI screen to interactively design your Solr schema and supporting ConfigSet files from sample data (SOLR-15277)

Security UI

A new Admin UI screen to manage users, roles, and permissions (SOLR-15527)

SQL Improvements

Several enhancements and bug fixes for Solr's Parallel SQL interface, included upgrading Apache Calcite to 1.27.0 (SOLR-15460, SOLR-15451, SOLR-15456, SOLR-15461, SOLR-15489, SOLR-15475, SOLR-15499, SOLR-15570, SOLR-15576, SOLR-9853, SOLR-15579, SOLR-15566)

A summary of important changes is published in the Solr Reference Guide at https://solr.apache.org/guide/8_10/solr-upgrade-notes.html.

For the most exhaustive list, see the full release notes at https://solr.apache.org/8_10_0/changes/Changes.html or by viewing the CHANGES.txt file accompanying the distribution.

Solr's release notes usually don't include Lucene layer changes. Lucene's release notes are at https://lucene.apache.org/core/8_10_0/changes/Changes.html

16 June 2021, Apache Solr™ 8.9.0 available ¶

The Solr PMC is pleased to announce the release of Apache Solr 8.9.0.

Solr 8.9.0 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 8.9.0 Release Highlights:

Backup/Restore: Support for incremental backups, support for storing backups in Google Cloud Storage (GCS), ability to restore on top of an existing collection. Improved v2 API. Please see CHANGES.txt for details. (SOLR-15087, SOLR-15090, SOLR-13608, SOLR-15101)
Monitoring: New "Solr Cluster" row in Grafana dashboard, improved Zookeeper monitoring, new shard health info in CLUSTERSTATUS and more. Please see CHANGES.txt for details. (SOLR-15365, SOLR-15397, SOLR-15300, SOLR-15081, SOLR-15383)
Deprecations: The Metrics history feature has been deprecated and will be removed in 9.0 (SOLR-15416)
Admin UI: Query page now stores state in URL and can easily be shared (SOLR-6152)
Security: Jetty server upgraded to 9.4.41 which fixes some known vulnerabilities (SOLR-15316)

A summary of important changes is published in the Solr Reference Guide at https://solr.apache.org/guide/8_9/solr-upgrade-notes.html.

For the most exhaustive list, see the full release notes at https://solr.apache.org/8_9_0/changes/Changes.html or by viewing the CHANGES.txt file accompanying the distribution.

Solr's release notes usually don't include Lucene layer changes. Lucene's release notes are at https://lucene.apache.org/core/8_9_0/changes/Changes.html

12 April 2021, Apache Solr™ 8.8.2 available ¶

The Solr PMC is pleased to announce the release of Apache Solr 8.8.2.

Solr 8.8.2 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 8.8.2 Release Highlights:

SOLR-15249: Properly set ZK ACLs on /security.json
SOLR-15233: Set doAs param in ConfigurableInternodeAuthHadoopPlugin
SOLR-15217: Use shardsWhitelist in ReplicationHandler
SOLR-15288: Hardening NODEDOWN event in collections using PerReplicaStates

Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:

https://solr.apache.org/guide/8_8/solr-upgrade-notes.html

Please read CHANGES.txt for a full list of bugfixes:

https://solr.apache.org/8_8_2/changes/Changes.html

Solr 8.8.2 also includes bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_8_2/changes/Changes.html

12 April 2021, CVE-2021-27905: SSRF vulnerability with the Replication handler ¶

Severity: High

Versions Affected: 7.0.0 to 7.7.3 8.0.0 to 8.8.1

Description: The ReplicationHandler (normally registered at "/replication" under a Solr core) has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not.

Mitigation: Any of the following are enough to prevent this vulnerability:

Upgrade to Solr 8.8.2 or greater.
If upgrading is not an option, consider applying the patch in SOLR-15217
Ensure that any access to the replication handler is purely internal to Solr. Typically, it's only accessed externally for diagnostic/informational purposes.

Credit: Reported by Caolinhong(Skay) from QI-ANXIN Cert (QI-ANXIN Technology Group Inc.)

References: SOLR-15217: CVE-2021-27905: SSRF vulnerability with the Replication handler

12 April 2021, CVE-2021-29262: Misapplied Zookeeper ACLs can result in leakage of configured authentication and authorization settings ¶

Severity: High

Versions Affected: 7.0.0 to 7.7.3 8.0.0 to 8.8.1

Description: When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be readable. Additionally, with any ZkACLProvider, if the security.json is already present, Solr will not automatically update the ACLs.

Mitigation: Any of the following are enough to prevent this vulnerability:

Manually set appropriate ACLs on /security.json znode.
Upgrade to Solr 8.8.2 or greater.
If upgrading is not an option, consider applying the patch in SOLR-15249
Ensure that any access to zookeeper is only by trusted application.

Credit: Timothy Potter and Mike Drob, Apple Cloud Services

References: SOLR-15249: CVE-2021-29262: Misapplied Zookeeper ACLs can result in leakage of configured authentication and authorization settings

12 April 2021, CVE-2021-29943: Apache Solr Unprivileged users may be able to perform unauthorized read/write to collections ¶

Severity: High

Versions Affected: 7.0.0 to 7.7.3 8.0.0 to 8.8.1

Description: When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distributed requests using server credentials instead of original client credentials. This would result in incorrect authorization resolution on the receiving hosts.

Mitigation: Any of the following are enough to prevent this vulnerability:

Upgrade to Solr 8.8.2 or greater.
If upgrading is not an option, consider applying the patch in SOLR-15233
Use a different authentication plugin, such as the KerberosPlugin or HadoopAuthPlugin

Credit: Geza Nagy

References: SOLR-15233: CVE-2021-29943: Apache Solr Unprivileged users may be able to perform unauthorized read/write to collections

22 February 2021, Apache Solr™ 8.8.1 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.8.1.

Solr 8.8.1 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 8.8.1 Release Highlights:

Fix for a SolrJ backwards compatibility issue when upgrading the server to 8.8.0 without upgrading SolrJ to 8.8.0. Users are encouraged to use 8.8.1 instead of 8.8.0.

Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:

https://solr.apache.org/guide/8_8/solr-upgrade-notes.html

Please read CHANGES.txt for a full list of bugfixes:

https://solr.apache.org/8_8_1/changes/Changes.html

Solr 8.8.1 also includes bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_8_1/changes/Changes.html

17 February 2021, Apache Solr becomes an Apache TLP ¶

The Apache Software Foundation's board today established Solr as a Top Level Project (TLP). Solr has been a Lucene sub-project since its incubation in 2006, governed by the Lucene PMC, and has since the 3.1 release also shared source code repository with Lucene.

What's the background?

The change was proposed by members of the Lucene PMC, and a vote in June 2020 decided that Solr would be a separate TLP. Later, the Lucene PMC decided that the Solr project would be bootstrapped with the same set of committers and PMC members as the "mother" Lucene project.

How does this affect users?

The Solr software will not change at all as a result of this, but users will see these changes:

Solr gets a new website at solr.apache.org
Solr gets a new download location in the mirrors
The email address of the users mailing-list will change, but subscribers will be moved automatically

How does this affect developers?

Developers will have to do a number of things to adapt to the change

Subscribe to the new mailing lists. See Mailing Lists & Chat for instructions
Start using the new git location by cloning or defining a new git remote
Realize that lucene will be a build dependency of Solr on the main branch (once the code migration is done)
Backported bug fixes for Solr 8.8 must be submitted to the Lucene git, for a joint bugfix release

NOTE: Some things may be in flux during the migration work.

29 January 2021, Apache Solr™ 8.8.0 available ¶

29/01/2021, Apache Solr™ 8.8 available The Lucene PMC is pleased to announce the release of Apache Solr 8.8

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

The release is available for immediate download at:

https://solr.apache.org/downloads.html

Please read CHANGES.txt for a detailed list of changes:

https://solr.apache.org/8_8_0/changes/Changes.html

Solr 8.8.0 Release Highlights

Reducing overseer bottlenecks using per-replica states. More stability and lesser load on large cluster that use this feauture. Better restart and collection creation performance

Interleaving support in Learning To Rank

A summary of important changes is published in the Solr Reference Guide at https://solr.apache.org/guide/8_8/solr-upgrade-notes.html. For the most exhaustive list, see the full release notes at https://solr.apache.org/8_8_0/changes/Changes.html or by viewing the CHANGES.txt file accompanying the distribution. Solr's release notes usually don't include Lucene layer changes. Lucene's release notes are at https://lucene.apache.org/core/8_8_0/changes/Changes.html

3 November 2020, Apache Solr™ 8.7.0 available ¶

3/11/2020, Apache Solr™ 8.7 available The Lucene PMC is pleased to announce the release of Apache Solr 8.7

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

The release is available for immediate download at:

https://solr.apache.org/downloads.html

Please read CHANGES.txt for a detailed list of changes:

https://solr.apache.org/8_7_0/changes/Changes.html

Solr 8.7.0 Release Highlights

SOLR-14588 -- Circuit Breakers Infrastructure and Real JVM Based Circuit Breaker

SOLR-14615 –- CPU Based Circuit Breaker

SOLR-14537 -- Improve performance of ExportWriter

SOLR-14651 -- The MetricsHistoryHandler Can Be Disabled

A summary of important changes is published in the Solr Reference Guide at https://solr.apache.org/guide/8_7/solr-upgrade-notes.html. For the most exhaustive list, see the full release notes at https://solr.apache.org/8_7_0/changes/Changes.html or by viewing the CHANGES.txt file accompanying the distribution. Solr's release notes usually don't include Lucene layer changes. Lucene's release notes are at https://lucene.apache.org/core/8_7_0/changes/Changes.html

12 October 2020, CVE-2020-13957: The checks added to unauthenticated configset uploads in Apache Solr can be circumvented ¶

Severity: High

Versions Affected: 6.6.0 to 6.6.6 7.0.0 to 7.7.3 8.0.0 to 8.6.2

Description: Solr prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.

Mitigation: Any of the following are enough to prevent this vulnerability:

Disable UPLOAD command in ConfigSets API if not used by setting the system property: configset.upload.enabled to false (see docs)
Use Authentication/Authorization and make sure unknown requests aren't allowed (see docs)
Upgrade to Solr 8.6.3 or greater.
If upgrading is not an option, consider applying the patch in SOLR-14663
No Solr API, including the Admin UI, is designed to be exposed to non-trusted parties. Tune your firewall so that only trusted computers and people are allowed access

Credit: Tomás Fernández Löbbe, András Salamon

References: SOLR-14925: CVE-2020-13957: The checks added to unauthenticated configset uploads can be circumvented

7 October 2020, Apache Solr™ 8.6.3 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.6.3.

Solr 8.6.3 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 8.6.3 Release Highlights:

SOLR-14898: Prevent duplicate header accumulation on internally forwarded requests
SOLR-14768: Fix HTTP multipart POST requests to Solr (8.6.0 regression)
SOLR-14859: PrefixTree-based fields now reject invalid schema properties instead of quietly failing certain queries
SOLR-14663: CREATE ConfigSet action now copies base node content

Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:

https://solr.apache.org/guide/8_6/solr-upgrade-notes.html

Please read CHANGES.txt for a full list of bugfixes:

https://solr.apache.org/8_6_3/changes/Changes.html

Solr 8.6.3 also includes bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_6_3/changes/Changes.html

1 September 2020, Apache Solr™ 8.6.2 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.6.2.

Solr 8.6.2 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 8.6.2 Bug Fixes:

SOLR-14751: Zookeeper Admin screen not working for old ZK versions.

Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:

https://solr.apache.org/guide/8_6/solr-upgrade-notes.html

Please read CHANGES.txt for a full list of bugfixes:

https://solr.apache.org/8_6_2/changes/Changes.html

Solr 8.6.2 also includes bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_6_2/changes/Changes.html

14 August 2020, CVE-2020-13941: Apache Solr information disclosure vulnerability ¶

Severity: Medium

Versions Affected:
Before Solr 8.6. Some risks are specific to Windows.

Description: Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), released in Solr version 8.6.0. The Replication handler (https://solr.apache.org/guide/8_6/index-replication.html#http-api-commands-for-the-replicationhandler) allows commands backup, restore and deleteBackup. Each of these take a location parameter, which was not validated, i.e you could read/write to any location the solr user can access.

On a windows system SMB paths such as \10.0.0.99\share\folder may also be used, leading to:

The possibility of restoring another SolrCore from a server on the network (or mounted remote file system) may lead to:
- Exposing search index data that the attacker should otherwise not have access to
- Replacing the index data entirely by loading it from a remote file system that the attacker controls
Launching SMB attacks which may result in:
- The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes),
- In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution

Mitigation: Upgrade to Solr 8.6, and/or ensure only trusted clients can make requests of Solr's replication handler.

Credit: Matei "Mal" Badanoiu

13 August 2020, Apache Solr™ 8.6.1 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.6.1.

Solr 8.6.1 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 8.6.1 Release Highlights:

SOLR-14665: Revert SOLR-12845 adding of default autoscaling cluster policy, due to performance issues
SOLR-14671: Parsing dynamic ZK config sometimes cause NumberFormatException

Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:

https://solr.apache.org/guide/8_6/solr-upgrade-notes.html

Please read CHANGES.txt for a full list of bugfixes:

https://solr.apache.org/8_6_1/changes/Changes.html

Solr 8.6.1 also includes bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_6_1/changes/Changes.html

15 July 2020, Apache Solr™ 8.6.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.6.0.

Solr 8.6.0 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 8.6.0 Release Highlights:

Cross-Collection Join Queries: Join queries can now work cross-collection, even when shared or when spanning nodes.
Search: Performance improvement for some types of queries when using when exact hit count isn't needed by using BlockMax WAND algorithm.
Streaming Expression: Percentiles and standard deviation aggregations added to stats, facet and time series. Streaming expressions added to /export handler. Drill Streaming Expression for efficient and accurate high cardinality aggregation.
Package manager: Support for cluster (CoreContainer) level plugins.
Health Check: HealthCheckHandler can now require that all cores are healthy before returning OK.
Zookeeper read API: A read API at /api/cluster/zk/* to fetch raw ZK data and view contents of a ZK directory.
Admin UI: New panel with security info in admin UI's dashboard.
Query DSL: Support for {param:ref} and {bool: {excludeTags:""}}
Ref Guide: Major redesign of Solr's documentation.

Please read CHANGES.txt for a full list of new features and changes:

https://solr.apache.org/8_6_0/changes/Changes.html

Solr 8.6.0 also includes features, optimizations and bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_6_0/changes/Changes.html

26 May 2020, Apache Solr™ 8.5.2 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.5.2.

Solr 8.5.2 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 8.5.2 Bug Fixes:

SOLR-14411: Fix regression from SOLR-14359 (Admin UI 'Select an Option')
SOLR-14471: base replica selection strategy not applied to "last place" shards.preference matches

Please read CHANGES.txt for a full list of changes:

https://solr.apache.org/8_5_2/changes/Changes.html

Solr 8.5.2 also includes 1 bugfix in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_5_2/changes/Changes.html

28 April 2020, Apache Solr™ 7.7.3 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 7.7.3.

Solr 7.7.3 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 7.7.3 Release Highlights:

SOLR-13779: Use the safe fork of simple-xml for clustering contrib
SOLR-13718: SPLITSHARD (async) with failures in underlying sub-operations can result in data loss
SOLR-12291: prematurely reporting not yet finished async Collections API call as completed when collection's replicas are collocated at least at one node
SOLR-13828: Improve ExecutePlanAction error handling
SOLR-13472: Forwarded requests should skip authorization on receiving nodes
SOLR-13793: HttpSolrCall now maintains internal request count (_forwardedCount) for remote queries and limits them to the number of replicas. This avoids making too many cascading calls to remote servers, which, if not restricted, can bring down nodes containing the said collection
SOLR-13971: Velocity response writer's resource loading now possible only through startup parameters. Also, removed velocity response writer from _default configset
SOLR-14025: VelocityResponseWriter has been hardened - only trusted configsets can render configset provided templates and rendering templates from request parameters has been removed.
SOLR-13158: DataImportHandler: Added enable.dih.dataConfigParam system property to toggle whether the dataConfig param is permitted
SOLR-14259: Fix javabin performance regression fixes

Please read CHANGES.txt for a full list of and changes:

https://solr.apache.org/7_7_3/changes/Changes.html

Solr 7.7.3 also includes bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/7_7_3/changes/Changes.html

16 April 2020, Apache Solr™ 8.5.1 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.5.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release contains no change over 8.5.0 for Solr. The release is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 8.5.1 also includes one bugfix in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_5_1/changes/Changes.html

24 March 2020, Apache Solr™ 8.5.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.5.0.

Solr 8.5.0 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 8.5.0 Release Highlights:

A new queries property of JSON Request API let to declare queries in Query DSL format and refer to them by their names.
A new command line tool bin/postlogs allows you to index Solr logs into a Solr collection. This is helpful for log analysis and troubleshooting. Documentation is not yet integrated into the Solr Reference Guide, but is available in a branch via GitHub: https://github.com/apache/lucene-solr/blob/visual-guide/solr/solr-ref-guide/src/logs.adoc.
A new stream decorator delete() is available to help solve some issues with traditional delete-by-query, which can be expensive in large indexes.
Solr now has the ability to run with a Java Security Manager enabled.

Please read CHANGES.txt for a full list of changes:

https://solr.apache.org/8_5_0/changes/Changes.html

Solr 8.5.0 also includes improvements and bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_5_0/changes/Changes.html

13 January 2020, Apache Solr™ 8.4.1 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.4.1.

Solr 8.4.1 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 8.4.1 Release Highlights:

Fix for overseer serialization to support rolling upgrade (broken since 8.4)
Fix for SSL support with SOLR_SSL_NEED_CLIENT_AUTH (broken since 8.2)
Package manager to store public keys in a special "trusted" location instead of in ZooKeeper

Please read CHANGES.txt for a full list of changes:

https://solr.apache.org/8_4_1/changes/Changes.html

Solr 8.4.1 also includes and bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_4_1/changes/Changes.html

30 December 2019, CVE-2019-17558: Apache Solr RCE through VelocityResponseWriter ¶

Severity: High

Vendor:
The Apache Software Foundation

Versions Affected: 5.0.0 to 8.3.1

Description:
The affected versions are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset velocity/ directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting params.resource.loader.enabled by defining a response writer with that setting set to true. Defining a response writer requires configuration API access.

Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is trusted (has been uploaded by an authenticated user).

Mitigation:
Ensure your network settings are configured so that only trusted traffic communicates with Solr, especially to the configuration APIs.

Credit:
Github user s00py

References:

29 December 2019, Apache Solr™ 8.4.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.4.0.

Solr 8.4.0 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 8.4.0 Release Highlights:

A new package management system was introduced in order to ease deploying plugins.
Better security with the out-of-the-box configuration.

A summary of important changes is published in the Solr Reference Guide at https://solr.apache.org/guide/8_4/solr-upgrade-notes.html.

Please read CHANGES.txt for a full list of new features and changes:

https://solr.apache.org/8_4_0/changes/Changes.html

Solr 8.4.0 also includes features, optimizations and bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_4_0/changes/Changes.html

3 December 2019, Apache Solr™ 8.3.1 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.3.1.

Solr 8.3.1 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 8.3.1 Release Highlights:

JavaBinCodec has concurrent modification of CharArr resulting in corrupt internode updates
findRequestType in AuditEvent is more robust
CoreContainer.auditloggerPlugin is volatile now
Velocity response writer's resource loading now possible only through startup parameters

Please read CHANGES.txt for a full list of changes:

https://solr.apache.org/8_3_1/changes/Changes.html

Solr 8.3.1 also includes and bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_3_1/changes/Changes.html

18 November 2019, CVE-2019-12409: Apache Solr RCE vulnerability due to bad config default ¶

Severity: High

Vendor:
The Apache Software Foundation

Versions Affected:
Solr 8.1.1 and 8.2.0 for Linux

Description:
The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr.

Windows users are not affected.

If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.

The vulnerability is already public [1] and mitigation steps were announced on project mailing lists and news page [3] on August 14th, without mentioning RCE at that time.

Mitigation:
Make sure your effective solr.in.sh file has ENABLE_REMOTE_JMX_OPTS set to 'false' on every Solr node and then restart Solr. Note that the effective solr.in.sh file may reside in /etc/defaults/ or another location depending on the install. You can then validate that the 'com.sun.management.jmxremote*' family of properties are not listed in the "Java Properties" section of the Solr Admin UI, or configured in a secure way.

There is no need to upgrade or update any code.

Remember to follow the Solr Documentation's advice to never expose Solr nodes directly in a hostile network environment.

Credit:
Matei "Mal" Badanoiu
Solr JIRA user 'jnyryan' (John)

References:
[1] https://issues.apache.org/jira/browse/SOLR-13647
[3] https://solr.apache.org/news.html

2 November 2019, Apache Solr™ 8.3.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.3.0.

Solr 8.3.0 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 8.3.0 Release Highlights:

Two dimensional routed aliases are now available for organizing collections based on the data values of two fields
SPLITSHARD implements a new splitByPrefix option that takes into account the actual document distribution when using compositeIds
QueryElevationComponent can have query rules configured with match="subset" wherein the words need only match a subset of the query's words and in any order
Command line option to export documents to a file
Support deterministic replica routing preferences for better cache usage
Ability to query aliases in Solr Admin UI
JWTAuthPlugin supports multiple JWKS endpoints and multiple IdP issuers
JSON faceting now supports arbitrary ranges for range facets
Support integral plots, cosine distance and string truncation with math expressions (Joel Bernstein)
New cat() stream source to create tuples from lines in local files
Add upper, lower, trim and split Stream Evaluators
Add CsvStream, TsvStream Streaming Expressions and supporting Stream Evaluators
Add CaffeineCache, an efficient implementation of SolrCache
Live SPLITSHARD can lose updates due to cluster state change between checking if the current shard is active and later checking if there are any sub-shard leaders to forward the update to
Fix for SPLITSHARD (async) with failures in underlying sub-operations can result in data loss
Allow dynamic resizing of SolrCache-s
Allow optional redaction of data saved by 'bin/solr autoscaling -save'
Optimized large managed schema modifications (internal O(n^2) problem)
Max idle time support for SolrCache implementations
Add Prometheus Exporter GC and Heap options
SSL: Adding Enabling/Disabling client's hostname verification config
Introducing SolrClient.ping(collection) in SolrJ
Fix for CDCR bootstrap not replicating index to the replicas of target cluster
Fixed a race condition when initializing metrics for new security plugins on security.json change
Fixed JWTAuthPlugin to update metrics prior to continuing w/other filters or returning error
Fixed distributed grouping when multiple 'fl' params are specified
JMX MBeans are not exposed because of race condition between creating platform mbean server and registering mbeans
Fix for class-cast issues during atomic-update 'removeregex' operations
Fix for multi-node race condition to create/remove nodeLost markers
Fix for too many cascading calls to remote servers, which can bring down nodes
Fix for MOVEREPLICA ignoring replica type and always adding 'nrt' replicas
Fix: DistributedZkUpdateProcessor should propagate URP.finish() lifecycle (regression since 8.1)

Please read CHANGES.txt for a full list of new features and changes:

https://solr.apache.org/8_3_0/changes/Changes.html

Solr 8.3.0 also includes features, optimizations and bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_3_0/changes/Changes.html

9 September 2019, CVE-2019-12401: XML Bomb in Apache Solr versions prior to 5.0 ¶

Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:

1.3.0 to 1.4.1
3.1.0 to 3.6.2
4.0.0 to 4.10.4

Description:
Solr versions prior to 5.0.0 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it’s update handler. By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs

Mitigation:

Upgrade to Apache Solr 5.0 or later.
Ensure your network settings are configured so that only trusted traffic is allowed to post documents to the running Solr instances.

Credit:
Matei "Mal" Badanoiu

References:

14 August 2019, [ANNOUNCE] 8.1.1 and 8.2.0 users check ENABLE_REMOTE_JMX_OPTS setting ¶

Severity: Low

Versions Affected:
8.1.1 and 8.2.0 for Linux

Description:
It has been discovered [1] that the 8.1.1 and 8.2.0 releases contain a bad default
setting for the ENABLE_REMOTE_JMX_OPTS setting in the default solr.in.sh file
shipping with Solr.

Windows users and users with custom solr.in.sh files are not affected.

If you are using the default solr.in.sh file from the affected releases, then
JMX monitoring will be enabled and exposed on JMX_PORT (default = 18983),
without any authentication. So if your firewalls allows inbound traffic on
JMX_PORT, then anyone with network access to your Solr nodes will be able to
access monitoring data exposed over JMX.

Mitigation:
Edit solr.in.sh, set ENABLE_REMOTE_JMX_OPTS=false and restart Solr.
Alternatively wait for the future 8.3.0 release and upgrade.

References:
[1] https://issues.apache.org/jira/browse/SOLR-13647

31 July 2019, CVE-2019-0193: Apache Solr, Remote Code Execution via DataImportHandler ¶

Severity: High

Vendor:
The Apache Software Foundation

Versions Affected:

5.0.0 to 5.5.5
6.0.0 to 6.6.5

Description:
The DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property enable.dih.dataConfigParam to true.

Mitigation:

Upgrade to 8.2.0 or later, which is secure by default.
or, edit solrconfig.xml to configure all DataImportHandler usages with an "invariants" section listing the "dataConfig" parameter set to am empty string.
Ensure your network settings are configured so that only trusted traffic communicates with Solr, especially to the DIH request handler. This is a best practice to all of Solr.

Credit:
Michael Stepankin (JPMorgan Chase)

References:

26 July 2019, Apache Solr™ 8.2.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.2.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.2.0 is available for immediate download at: https://solr.apache.org/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://solr.apache.org/8_2_0/changes/Changes.html

Solr 8.2.0 Release Highlights

New features

Add an update param failOnVersionConflicts=false to updates not fail when there is a version conflict
Add facet2D Streaming Expression.
Preferred replicas on nodes with same system properties as the query master
OpenTracing support for Solr
Raw index data analysis tool (extension of COLSTATUS collection command).
Add recNum Stream Evaluator.
Allow zplot to visualize 2D clusters and convex hulls.
Add a field type for Estonian language to default managed_schema, document about Estonian language analysis in Solr Ref Guide

Bug Fixes

Intermittent 401's for internode requests with basicauth enabled.
In 8.1, Atomic Updates were broken (NPE) when the schema declared the new nest_path field even if you weren't using nested docs. In-place updates were not affected (worked)
Fix atomic update encoding issue for UUID, enum, bool, and binary fields.
Impossible to delete a collection with the same name as an existing alias. This fixes also a bug inREINDEXCOLLECTION when used with removeSource=true which could lead to a data loss.

Solr 8.2.0 also includes many other new features as well as numerous optimizations and bugfixes of the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_2_0/changes/Changes.html

4 June 2019, Apache Solr™ 7.7.2 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 7.7.2.

Solr 7.7.2 is available for immediate download at:

https://solr.apache.org/downloads.html

Solr 7.7.2 Release Highlights:

High CPU usage in Solr due to Java 8 bug (SOLR–13349)
Multiplicative query boost in certain conditions not applied (SOLR–13126)
InPlace update sometimes fail if schema has a required field (SOLR–11876)
Admin UI inaccessible with RuleBasedAuthorizationPlugin (SOLR–13344)
MetricsHistoryHandler does not work with BasicAuth (SOLR–12860)
ByteArrayUtf8CharSequence cannot be cast to java.lang.String (SOLR–13285)

Please read CHANGES.txt for a full list of and changes:

https://solr.apache.org/7_7_2/changes/Changes.html

Solr 7.7.2 also includes bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/7_7_2/changes/Changes.html

28 May 2019, Apache Solr™ 8.1.1 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.1.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.1.1 is available for immediate download at: https://solr.apache.org/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://solr.apache.org/8_1_1/changes/Changes.html

Solr 8.1.1 Release Highlights

Fix for a Null Pointer Exception when querying collection through collection alias.

16 May 2019, Apache Solr™ 8.1.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.1.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.1.0 is available for immediate download at: https://solr.apache.org/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://solr.apache.org/8_1_0/changes/Changes.html

Solr 8.1.0 Release Highlights

Partial/Atomic Updates for nested documents. This enables atomic updates for nested documents, without the need to supply the whole nested hierarchy (which would be overwritten if absent).
Category Routed Aliases feature introduced for data driven assignment of documents to collections based on values of a field
JWT Token authentication plugin with OpenID Connect implicit flow login through Admin UI
REINDEXCOLLECTION command for re-indexing of existing collections
Collection RENAME command and support using aliases in most collection admin commands
Read-only mode for SolrCloud collections

Solr 8.1.0 also includes many other new features as well as numerous optimizations and bugfixes of the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_1_0/changes/Changes.html

5 April 2019, Apache Solr™ 6.6.6 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.6.6

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.6.6 is available for immediate download at:

http://archive.apache.org/dist/lucene/solr/6.6.6

Please read CHANGES.txt for a full list of new features and changes:

https://solr.apache.org/6_6_6/changes/Changes.html

Solr 6.6.6 Release Highlights:

Fix memory leak (upon collection reload or ZooKeeper session expiry) in ZkIndexSchemaReader.
Fix for Rule-based Authorization skipping authorization if querying node host the collection
(CVE-2017-3164) Make it possible to configure a host whitelist for distributed search

14 March 2019, Apache Solr™ 8.0.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 8.0.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.0.0 is available for immediate download at: https://solr.apache.org/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://solr.apache.org/8_0_0/changes/Changes.html

Solr 8.0.0 Release Highlights

Solr now uses HTTP/2 for inter-node communication to attain greater efficiency. Details: Solr is switching from Apache HttpClient to Jetty Client for adding HTTP/2 support. Most frequent inter-communication between nodes like indexing and query are now sent in HTTP/2. HTTP/1.1 practically allows only one outstanding request per TCP connection this means that for sending multiple requests at the same time multiple TCP connections must be established. This leads to waste of resources on both-sides and long GC-pause. Solr 8 with HTTP/2 support overcomes that problem by allowing multiple requests can be sent in parallel using a same TCP connection.
Nested documents (AKA child documents or block join) is significantly improved. Most improvements come from storing and leveraging more information about the relationships in the index, like the named relationship between a child and its parent. This information is used by the [child] doc transformer to return children in nested form instead of flat. There is plenty more that can be done with this in the future. Another key improvement is that nested documents can be deleted or replaced in a natural way without orphaning child documents; although care is still needed with delete-by-query.

Being a major release, Solr 8 removes many deprecated APIs, changes various parameter defaults and behavior. Some changes may require a re-index of your content. You are thus encouraged to thoroughly read the "Upgrade Notes" at:

https://solr.apache.org/8_0_0/changes/Changes.html

Solr 8.0 also includes many other new features as well as numerous optimizations and bugfixes of the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_0_0/changes/Changes.html

11 March 2019, Apache Solr Reference Guide 7.7 available ¶

The Lucene PMC is pleased to announce that the Solr Reference Guide for 7.7 is now available. This 1,431-page PDF is the definitive guide to using Apache Solr, the search server built on Lucene.

The PDF Guide can be downloaded from: https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-7.7.pdf. It is also available online at https://solr.apache.org/guide/7_7.

6 March 2019, CVE-2019-0192: Deserialization of untrusted data via jmx.serviceUrl in Apache Solr ¶

Severity: High

Vendor:
The Apache Software Foundation

Versions Affected:

5.0.0 to 5.5.5
6.0.0 to 6.6.5

Description:
ConfigAPI allows to configure Solr's JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side.

Mitigation:
Any of the following are enough to prevent this vulnerability:

Upgrade to Apache Solr 7.0 or later.
Disable the ConfigAPI if not in use, by running Solr with the system property “disable.configEdit=true”
If upgrading or disabling the Config API are not viable options, apply patch in [1] and re-compile Solr.
Ensure your network settings are configured so that only trusted traffic is allowed to ingress/egress your hosts running Solr.

Credit:
Michael Stepankin

References:

1 March 2019, Apache Solr™ 7.7.1 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 7.7.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.7.1 is available for immediate download at: https://solr.apache.org/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://solr.apache.org/7_7_1/changes/Changes.html

Solr 7.7.1 Release Highlights:

Bugfix for ClassCastException when URPs try to read a String field which returns a ByteArrayUTF8CHarSequence (a regression in release 7.7.0).
Bugfix: Autoscaling based replica placement was broken out of the box. Solr 7.6 enabled autoscaling based replica placement by default but in the absence of default cluster policies, autoscaling can place more than 1 replica of the same shard on the same node. Also, the maxShardsPerNode and createNodeSet was not respected. Due to these reasons, this issue reverts the default replica placement policy to the 'legacy' assignment policy that was the default until Solr 7.5.

12 February 2019, CVE-2017-3164: SSRF issue in Apache Solr ¶

Severity: High

Vendor:
The Apache Software Foundation

Versions Affected: Apache Solr versions from 1.3 to 7.6.0

Description:
The "shards" parameter does not have a corresponding whitelist mechanism, so it can request any URL.

Mitigation:
Upgrade to Apache Solr 7.7.0 or later. Ensure your network settings are configured so that only trusted traffic is allowed to ingress/egress your hosts running Solr.

Credit:
dk from Chaitin Tech

References:

11 February 2019, Apache Solr™ 7.7.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 7.7.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.7.0 is available for immediate download at: https://solr.apache.org/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://solr.apache.org/7_7_0/changes/Changes.html

Solr 7.7.0 Release Highlights:

URI Too Long with large streaming expressions in SolrJ.
A failure while reloading a SolrCore can result in the SolrCore not being closed.
Spellcheck parameters not working in new UI.
New Admin UI Query does not URL-encode the query produced in the URL box.
Rule-base Authorization plugin skips authorization if querying node does not have collection replica.
Solr installer fails on SuSE linux.
Fix incorrect SOLR_SSL_KEYSTORE_TYPE variable in solr start script.
JSON 'terms' Faceting now supports a 'prelim_sort' option to use when initially selecting the top ranking buckets, prior to the final 'sort' option used after refinement.
Add a login page to Admin UI, with initial support for Basic Auth and Kerberos.
New Node-level health check handler at /admin/info/healthcheck and /node/health paths that checks if the node is live, connected to zookeeper and not shutdown.
It is now possible to configure a host whitelist for distributed search.

14 December 2018, Apache Solr™ 7.6.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 7.6.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.6.0 is available for immediate download at: https://solr.apache.org/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://solr.apache.org/7_6_0/changes/Changes.html

Solr 7.6.0 Release Highlights:

Field and FieldType now support a new uninvertible option to control using costly field cache or more efficient docValues.
Collections API has been improved to support adding multiple replicas to a collection shard at a time as well as splitting into multiple sub-shards directly..
Autoscaling's suggestions API now include rebalance options as well as suggestions to add new replicas for lost replicas.
Several new Stream Evaluators have been added to include: oscillate, convexHull, enclosingDisk, pairSort, log10, percentiles, and pivot for geometric and scientific analysis.
UnifiedHighlighter has been improved to support best/perfect highlighting accuracy and full phrase highlighting.

24 September 2018, Apache Solr™ 7.5.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 7.5.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.5.0 is available for immediate download at: https://solr.apache.org/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://solr.apache.org/7_5_0/changes/Changes.html

Solr 7.5.0 Release Highlights:

Nested/child documents may now be supplied as a field value instead of stand-off. Future releases will leverage this semantic information.
Enhance Autoscaling policy support to equally distribute replicas on the basis of arbitrary properties.
Nodes are now visible inside a view of the Admin UI "Cloud" tab, listing nodes and key metrics.
The status of zookeeper ensemble is now accessible under the Admin UI Cloud tab.
The new Korean morphological analyzer ("nori") has been added to default distribution.

3 July 2018, Apache Solr™ 6.6.5 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.6.5

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.6.5 is available for immediate download at:

http://archive.apache.org/dist/lucene/solr/6.6.5

Please read CHANGES.txt for a full list of new features and changes:

https://solr.apache.org/6_6_5/changes/Changes.html

Solr 6.6.5 Release Highlights:

Ability to disable configset upload via -Dconfigset.upload.enabled=false startup parameter
Referal to external resources in various config files now disallowed

27 June 2018, Apache Solr™ 7.4.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 7.4.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.4.0 is available for immediate download at:

https://solr.apache.org/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://solr.apache.org/7_4_0/changes/Changes.html

Solr 7.4.0 Release Highlights:

A new 'relatedness()' aggregate function for JSON Faceting to enable building Semantic Knowledge Graphs.
Added the TaggerRequestHandler (AKA SolrTextTagger) for tagging text. It's used as a component of NER/ERD systems including query-understanding.
The "Auto Scaling" feature area has been added to and enhanced a lot.
The "Streaming Expressions" feature area has been added to and enhanced a lot.
Upgraded from Log4j 1.x to 2.x. Solr continues to log via SLF4J.

18 May 2018, Apache Solr™ 6.6.4 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.6.4

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release includes a bug fix since the 6.6.3 release:

Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing

The release is available for immediate download at:

https://www.apache.org/dyn/closer.lua/lucene/solr/6.6.4

Please read CHANGES.txt for a detailed list of changes:

https://solr.apache.org/6_6_4/changes/Changes.html

15 May 2018, Apache Solr™ 7.3.1 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 7.3.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release includes 9 bug fixes since the 7.3.0 release. Some of the major fixes are:

Upgrade commons-fileupload dependency to 1.3.3 to address CVE-2016-1000031
Deleting replicas sometimes fails and causes the replicas to exist in the down state
A successful restore collection should mark the shard state as active and not buffering
Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing

Furthermore, this release includes Apache Lucene 7.3.1 which includes 1 bug fix since the 7.3.0 release.

The release is available for immediate download at:

https://www.apache.org/dyn/closer.lua/lucene/solr/7.3.1

Please read CHANGES.txt for a detailed list of changes:

https://solr.apache.org/7_3_1/changes/Changes.html

8 April 2018, CVE-2018-1308: XXE attack through Apache Solr's DIH's dataConfig request parameter ¶

CVE-2018-1308: XXE attack through Apache Solr's DIH's dataConfig request parameter

Severity: Major

Vendor:
The Apache Software Foundation

Versions Affected:

Solr 1.2 to 6.6.2
Solr 7.0.0 to 7.2.1

Description:
The details of this vulnerability were reported to the Apache Security mailing list.

This vulnerability relates to an XML external entity expansion (XXE) in the &dataConfig=<inlinexml> parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. See [1] for more details.

Mitigation:
Users are advised to upgrade to either Solr 6.6.3 or Solr 7.3.0 releases both of which address the vulnerability. Once upgrade is complete, no other steps are required. Those releases disable external entities in anonymous XML files passed through this request parameter.

If users are unable to upgrade to Solr 6.6.3 or Solr 7.3.0 then they are advised to disable data import handler in their solrconfig.xml file and restart their Solr instances. Alternatively, if Solr instances are only used locally without access to public internet, the vulnerability cannot be used directly, so it may not be required to update, and instead reverse proxies or Solr client applications should be guarded to not allow end users to inject dataConfig request parameters. Please refer to [2] on how to correctly secure Solr servers.

Credit:
麦香浓郁

References:

[1] https://issues.apache.org/jira/browse/SOLR-11971
[2] https://cwiki.apache.org/confluence/display/solr/SolrSecurity

4 April 2018, Apache Solr™ 7.3.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 7.3.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.3.0 is available for immediate download at:

https://solr.apache.org/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://solr.apache.org/7_3_0/changes/Changes.html

Solr 7.3.0 Release Highlights:

OpenNLP request processors
Automatic time-based collection creation
Multivalued primitive fields can be used in sorting
SortableTextField allows sorting and faceting on free text
New stream evaluators
Improvements around leader-initiated recovery
New autoscaling features
A Prometheus metrics exporter
Filtering with exclusions on parent and child queries
Filtering with exclusions via a new query parser
Neural network modelling via learning to rank
Solr runs with Java 10

The Apache Solr Reference Guide for 7.3 is also available in PDF form or online.

7 March 2018, Apache Solr™ 6.6.3 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.6.3.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release contains three bugfixes:

Disallow reference to external resources in DataImportHandler's dataConfig request parameter
Allow collections created with legacyCloud=true to be opened if legacyCloud=false
LeaderInitiatedRecoveryThread now retries on UnknownHostException

The release is available for immediate download at:

https://solr.apache.org/mirrors-solr-redir.html

Please read CHANGES.txt for a detailed list of changes:

https://solr.apache.org/6_6_3/changes/Changes.html

15 January 2018, Apache Solr™ 7.2.1 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 7.2.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release includes 3 bug fixes since the 7.2.0 release:

Overseer can never process some last messages.
Rename core in solr standalone mode is not persisted.
QueryComponent's rq parameter parsing no longer considers the defType parameter.
Fix NPE in SolrQueryParser when the query terms inside a filter clause reduce to nothing.

Furthermore, this release includes Apache Lucene 7.2.1 which includes 1 bug fix since the 7.2.0 release.

The release is available for immediate download at:

https://www.apache.org/dyn/closer.lua/lucene/solr/7.2.1

Please read CHANGES.txt for a detailed list of changes:

https://solr.apache.org/7_2_1/changes/Changes.html

21 December 2017, Apache Solr™ 7.2.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 7.2.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.2.0 is available for immediate download at:

https://solr.apache.org/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://solr.apache.org/7_2_0/changes/Changes.html

Solr 7.2.0 Release Highlights:

Bi-directional syncing of CDCR clusters is now supported.
The new synonymQueryStyle field type option allows for better scoring when terms at the same position are hyponyms/hypernyms rather than synonyms.
More stream evaluators, including: matrix operations; spline; derivative; regression; normalization; scaling; correlation; markov chains; time series differencing; and triangular and geometric distributions.
The new facet.matches parameter returns facet buckets only for terms that match a regular expression.
New Autoscaling features: the autoscaling/suggestions API end-point; the UTILIZENODE command, which moves replicas according to autoscaling policies and preferences; and the Autoscaling set-property command.

2 November 2017, Apache Solr Reference Guide for 7.1 available ¶

The Lucene PMC is pleased to announce that the Solr Reference Guide for 7.1 is now available.

This 1,077-page PDF is the definitive guide to using Apache Solr, the search server built on Lucene.

The PDF Guide can be downloaded from: https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-7.1.pdf.

It is also available online at https://solr.apache.org/guide/7_1.

26 October 2017, CVE-2016-6809: Java code execution for serialized objects embedded in MATLAB files parsed by Apache Solr using Tika ¶

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:

Solr 5.0.0 to 5.5.4
Solr 6.0.0 to 6.6.1
Solr 7.0.0 to 7.0.1

Description:
Apache Solr uses Apache Tika for parsing binary file types such as doc, xls, pdf etc. Apache Tika wraps the jmatio parser (https://github.com/gradusnikov/jmatio) to handle MATLAB files. The parser uses native deserialization on serialized Java objects embedded in MATLAB files. A malicious user could inject arbitrary code into a MATLAB file that would be executed when the object is deserialized.

This vulnerability was originally described at http://mail-archives.apache.org/mod_mbox/tika-user/201611.mbox/%3C2125912914.1308916.1478787314903%40mail.yahoo.com%3E

Mitigation:
Users are advised to upgrade to either Solr 5.5.5 or Solr 6.6.2 or Solr 7.1.0 releases which have fixed this vulnerability.

Solr 5.5.5 upgrades the jmatio parser to v1.2 and disables the Java deserialisation support to protect against this vulnerability.

Solr 6.6.2 and Solr 7.1.0 have upgraded the bundled Tika to v1.16.

Once upgrade is complete, no other steps are required.

References:

24 October 2017, Apache Solr™ 5.5.5 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 5.5.5.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release contains one bugfix.

This release includes one critical and one important security fix. Details:

Fix for a 0-day exploit (CVE-2017-12629), details: https://s.apache.org/FJDl. RunExecutableListener has been disabled by default (can be enabled by -Dsolr.enableRunExecutableListener=true) and resolving external entities in the XML query parser (defType=xmlparser or {!xmlparser ... }) is disabled by default.
Fix for CVE-2017-7660: Security Vulnerability in secure inter-node communication in Apache Solr, details: https://s.apache.org/APTY

Furthermore, this release includes Apache Lucene 5.5.5 which includes one security fix since the 5.5.4 release.

The release is available for immediate download at:

https://www.apache.org/dyn/closer.lua/lucene/solr/5.5.5

Please read CHANGES.txt for a detailed list of changes:

https://solr.apache.org/5_5_5/changes/Changes.html

18 October 2017, Apache Solr™ 6.6.2 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.6.2

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Highlights for this Solr release includes:

Critical security fix: Fix for a 0-day exploit (CVE-2017-12629), details: https://s.apache.org/FJDl. RunExecutableListener has been disabled by default (can be enabled by -Dsolr.enableRunExecutableListener=true) and resolving external entities in the XML query parser (defType=xmlparser or {!xmlparser ... }) is disabled by default.
Fix for a bug where Solr was attempting to load the same core twice (Error message: "Lock held by this virtual machine").

The release is available for immediate download at:

https://www.apache.org/dyn/closer.lua/lucene/solr/6.6.2

Please read CHANGES.txt for a detailed list of changes:

https://solr.apache.org/6_6_2/changes/Changes.html

18 October 2017, Several critical vulnerabilities discovered in Apache Solr (XXE & RCE) ¶

Severity:
Critical

Vendor:
The Apache Software Foundation

Versions Affected:

Solr 5.5.0 to 5.5.4
Solr 6.0.0 to 6.6.1
Solr 7.0.0 to 7.0.1

Description:
The details of this vulnerability were reported on public mailing lists. See https://s.apache.org/FJDl

The first vulnerability relates to XML external entity expansion in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser. This can be exploited to upload malicious data to the /upload request handler. It can also be used as Blind XXE using ftp wrapper in order to read arbitrary local files from the solr server.

The second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr.

At the time of the above report, this was a 0-day vulnerability with a working exploit affecting the versions of Solr mentioned in the previous section. However, mitigation steps were announced to protect Solr users the same day. See https://solr.apache.org/news.html#12-october-2017-please-secure-your-apache-solr-servers-since-a-zero-day-exploit-has-been-reported-on-a-public-mailing-list

Mitigation:
Users are advised to upgrade to either Solr 6.6.2 or Solr 7.1.0 releases both of which address the two vulnerabilities. Once upgrade is complete, no other steps are required.

If users are unable to upgrade to Solr 6.6.2 or Solr 7.1.0 then they are advised to restart their Solr instances with the system parameter -Ddisable.configEdit=true. This will disallow any changes to be made to your configurations via the Config API. This is a key factor in this vulnerability, since it allows GET requests to add the RunExecutableListener to your config. Users are also advised to re-map the XML Query Parser to another parser to mitigate the XXE vulnerability. For example, adding the following to the solrconfig.xml file re-maps the xmlparser to the edismax parser: <queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin"/>

Credit:

Michael Stepankin (JPMorgan Chase)
Olga Barinova (Gotham Digital Science)

References:

17 October 2017, Apache Solr™ 7.1.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 7.1.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

The release is available for immediate download at:

https://www.apache.org/dyn/closer.lua/lucene/solr/7.1.0

Please read CHANGES.txt for a full list of new features and changes:

https://solr.apache.org/7_1_0/changes/Changes.html

Highlights for this Solr release include:

Critical Security Update: Fix for CVE-2017-12629 which is a working 0-day exploit reported on the public mailing list.
Auto-scaling: Solr can now move replicas automatically when a new node is added or an existing node is removed using the auto scaling policy framework introduced in 7.0
Auto-scaling: The 'autoAddReplicas' feature which was limited to shared file systems is now available for all file systems. It has been ported to use the new autoscaling framework internally.
Auto-scaling: New set-trigger, remove-trigger, set-listener, remove-listener, suspend-trigger, resume-trigger APIs
Auto-scaling: New /autoscaling/history API to show past autoscaling actions and cluster events
New JSON based Query DSL for Solr that extends JSON Request API to also support all query parsers and their nested parameters
JSON Facet API: min/max aggregations are now supported on single-valued date fields
Lucene's Geo3D (surface of sphere & ellipsoid) is now supported on spatial RPT fields by setting spatialContextFactory="Geo3D". Furthermore, this is the first time Solr has out of the box support for polygons
Expanded support for statistical stream evaluators such as various distributions, rank correlations, distances and more.
Multiple other optimizations and bug fixes

You are encouraged to thoroughly read the "Upgrade Notes" at https://solr.apache.org/7_1_0/changes/Changes.html or in the CHANGES.txt file accompanying the release.

Solr 7.1 also includes many other new features as well as numerous optimizations and bugfixes of the corresponding Apache Lucene release.

12 October 2017, Please secure your Apache Solr servers since a zero-day exploit has been reported on a public mailing list ¶

Please secure your Solr servers since a zero-day exploit has been reported on a public mailing list. This has been assigned a public CVE (CVE-2017-12629) which we will reference in future communication about resolution and mitigation steps.

Here is what we're recommending and what we're doing now:

Until fixes are available, all Solr users are advised to restart their Solr instances with the system property -Ddisable.configEdit=true. This will disallow any changes to be made to configurations via the Config API. This is a key factor in this vulnerability, since it allows GET requests to add the RunExecutableListener to the config. This is sufficient to protect you from this type of attack, but means you cannot use the edit capabilities of the Config API until the other fixes described below are in place. Users are also advised to remap the XML Query Parser to another parser to mitigate the XXE vulnerability. For example, adding the following to the solrconfig.xml file maps the xmlparser to the edismax parser: <queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin"/>.
A new release of Lucene/Solr was in the vote phase, but we have now pulled it back to be able to address these issues in the upcoming 7.1 release. We will also determine mitigation steps for users on earlier versions, which may include a 6.6.2 release for users still on 6.x.
The RunExecutableListener will be removed in 7.1. It was previously used by Solr for index replication but has been replaced and is no longer needed.
The XML Parser will be fixed and the fixes will be included in the 7.1 release.
The 7.1 release was already slated to include a change to disable the stream.body parameter by default, which will further help protect systems.

6 October 2017, Apache Solr™ 7.0.1 available ¶

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.0.1 is available for immediate download at: https://solr.apache.org/downloads.html

This release includes 2 bug fixes since the 7.0.0 release:

Solr 7.0 cannot read indexes from 6.x versions.
Message "Lock held by this virtual machine" during startup. Solr is trying to start some cores twice.

Furthermore, this release includes Apache Lucene 7.0.1 which includes 1 bug fix since the 7.0.0 release.

The release is available for immediate download at:

https://www.apache.org/dyn/closer.lua/lucene/solr/7.0.1

Please read CHANGES.txt for a detailed list of changes:

https://solr.apache.org/7_0_1/changes/Changes.html

2 October 2017, Apache Solr Reference Guide for 7.0 available ¶

The Lucene PMC is pleased to announce the release of the Apache Solr Reference Guide for Solr 7.0.

This 1,035-page PDF is the definitive guide to Solr. This version adds documentation for new features of Solr, plus detailed information about changes and deprecations you should know about when upgrading from Solr 6.x to Solr 7.0.

You can download the PDF from: https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-7.0.pdf.

An HTML version is also available from: https://solr.apache.org/guide/7_0/.

20 September 2017, Apache Solr™ 7.0.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 7.0.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.0.0 is available for immediate download at: https://solr.apache.org/downloads.html

Highlights for this Solr release include:

Replica Types - Solr 7 supports different replica types, which handle updates differently. In addition to pure NRT operation where all replicas build an index and keep a replication log, you can now also add so called PULL replicas, achieving the read-speed optimized benefits of a master/slave setup while at the same time keeping index redundancy.
Auto-scaling. Solr can now allocate new replicas to nodes using a new auto scaling policy framework. This framework will in future releases enable Solr to move shards around based on load, disk etc.
Indented JSON is now the default response format for all APIs, pass wt=xml and/or indent=off to use the previous unindented XML format.
The JSON Facet API now supports two-phase facet refinement to ensure accurate counts and statistics for facet buckets returned in distributed mode.
Streaming Expressions adds a new statistical programming syntax for the statistical analysis of sql queries, random samples, time series and graph result sets.
Analytics Component version 2.0, which now supports distributed collections, expressions over multivalued fields, a new JSON request language, and more.
The new v2 API, exposed at /api/ and also supported via SolrJ, is now the preferred API, but /solr/ continues to work.
A new '_default' configset is used if no config is specified at collection creation. The data-driven functionality of this configset indexes strings as analyzed text while at the same time copying to a '*_str' field suitable for faceting.
Solr 7 is tested with and verified to support Java 9.

See the Solr CHANGES.txt files included with the release for a full list of details.

18 September 2017, CVE-2017-9803: Security vulnerability in kerberos delegation token functionality** ¶

CVE-2017-9803: Security vulnerability in kerberos delegation token functionality

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Solr 6.2.0 to 6.6.0

Description:

Solr's Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an end-user or another application. There are two issues with this functionality (when using SecurityAwareZkACLProvider type of ACL provider e.g. SaslZkACLProvider),

Firstly, access to the security configuration can be leaked to users other than the solr super user. Secondly, malicious users can exploit this leaked configuration for privilege escalation to further expose/modify private data and/or disrupt operations in the Solr cluster.

The vulnerability is fixed from Solr 6.6.1 onwards.

Mitigation:
6.x users should upgrade to 6.6.1

Credit:
This issue was discovered by Hrishikesh Gadre of Cloudera Inc.

References:

7 September 2017, Apache Solr™ 6.6.1 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.6.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.6.1 is available for immediate download at: https://solr.apache.org/downloads.html

This release includes 15 bug fixes since the 6.6.0 release. Some of the major fixes are:

Standalone Solr loads UNLOADed core on request
ParallelStream should set the StreamContext when constructing SolrStreams
CloudSolrStream.toExpression incorrectly handles fq clauses
CoreContainer.load needs to send lazily loaded core descriptors to the proper list rather than send them all to the transient lists
Creating a core should write a core.properties file first and clean up on failure
Clean up a few details left over from pluggable transient core and untangling
Provide a way to know when Core Discovery is finished and when all async cores are done loading
CDCR bootstrapping can get into an infinite loop when a core is reloaded
SolrJmxReporter is broken on core reload. This resulted in some or most metrics not being reported via JMX after core reloads, depending on timing
Creating a core.properties fails if the parent of core.properties is a symlinked directory
StreamHandler should allow connections to be closed early
Certain admin UI pages would not load up correctly with kerberos enabled
Fix DOWNNODE -> queue-work znode explosion in ZooKeeper
Upgrade to Hadoop 2.7.4 to fix incompatibility with Java 9
Fix bin/solr.cmd so it can run properly on Java 9

Furthermore, this release includes Apache Lucene 6.6.1 which includes 2 bug fixes since the 6.6.0 release.

See the Solr CHANGES.txt files included with the release for a full list of details.

7 July 2017, CVE-2017-7660: Security Vulnerability in secure inter-node communication in Apache Solr** ¶

CVE-2017-7660: Security Vulnerability in secure inter-node communication in Apache Solr

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:

Solr 5.3 to 5.5.4
Solr 6.0 to 6.5.1

Description:
Solr uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that does not exist as part of the cluster and point it to a malicious node. This can trick the nodes in cluster to believe that the malicious node is a member of the cluster. So, if Solr users have enabled BasicAuth authentication mechanism using the BasicAuthPlugin or if the user has implemented a custom Authentication plugin, which does not implement either "HttpClientInterceptorPlugin" or "HttpClientBuilderPlugin", his/her servers are vulnerable to this attack. Users who only use SSL without basic authentication or those who use Kerberos are not affected.

Mitigation:

6.x users should upgrade to 6.6.0 or higher
5.x users should obtain the latest source from git and apply this patch: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/2f5ecbcf

Credit:
This issue was discovered by Noble Paul of Lucidworks Inc.

References:

6 June 2017, Apache Solr™ 6.6.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.6.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.6.0 is available for immediate download at: https://solr.apache.org/downloads.html

Highlights of this Solr release include:

Payload support with payload() value source and {!payload_score} and {!payload_check} query parsers
Solr support for SimpleTextCodec
Multi-field support to TermsComponent when requesting terms' statistics
New AtomicUpdateProcessor to convert normal update operations to atomic update operations
UPLOAD command (Config Set API) for uploading zipped configsets
MOVEREPLICA command (Collections API) for moving a replica across nodes
LISTALIASES command (Collections API) to return a list of all collection aliases
STATUS command (Core Admin API) to emit collection details of each core
Basic authentication can be enabled/disabled using bin/solr|bin/solr.cmd
Solr default/example uses WordDelimiterGraphFilterFactory and SynonymGraphFilterFactory
Expose cache statistics using metrics API
CloudSolrClient can now be initialized using the base URL of a Solr instance instead of ZooKeeper hosts
Grouping, CollapseQParser and ExpandComponent support with PointFields
Variance and Standard Deviation aggregators for the JSON Facet API
JSON Faceting now supports a query time 'join' domain change option
CartesianProductStream, which turns a single tuple with a multi-valued field into N tuples, one for each value in the multi-valued field
New Streaming Evaluators: Basic math, UUID, Date/time, correlation, regress, predict, covariance, convolution, normalize
New Streaming Expressions: shuffle, echo, eval, timeseries, let, get, tuple

See the Solr CHANGES.txt files included with the release for a full list of details.

27 April 2017, Apache Solr™ 6.5.1 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.5.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.5.1 is available for immediate download at: https://solr.apache.org/downloads.html

This release includes 11 bug fixes since the 6.5.0 release. Some of the major fixes are:

bin\solr.cmd delete and healthcheck now works again; fixed continuation chars ^
Fix debug related NullPointerException in solr/contrib/ltr OriginalScoreFeature class.
The JSON output of /admin/metrics is fixed to write the container as a map (SimpleOrderedMap) instead of an array (NamedList).
On 'downnode', lots of wasteful mutations are done to ZK.
Fix params persistence for solr/contrib/ltr (MinMax|Standard)Normalizer classes.
The fetch() streaming expression wouldn't work if a value included query syntax chars (like :+-). Fixed, and enhanced the generated query to not pollute the queryCache.
Disable graph query production via schema configuration <fieldtype ... enableGraphQueries="false">. This fixes broken queries for ShingleFilter-containing query-time analyzers when request param sow=false.
Fix indexed="false" on numeric PointFields
SQL AVG function mis-interprets field type.
SQL interface does not use client cache.
edismax with sow=false fails to create dismax-per-term queries when any field is boosted.

Furthermore, this release includes Apache Lucene 6.5.1 which includes 3 bug fixes since the 6.5.0 release.

See the Solr CHANGES.txt files included with the release for a full list of details.

27 March 2017, Apache Solr™ 6.5.0 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.5.0.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.5.0 is available for immediate download at: https://solr.apache.org/downloads.html

Highlights of this Solr release include:

PointFields (fixed-width multi-dimensional numeric & binary types enabling fast range search) are now supported
In-place updates to numeric docValues fields (single valued, non-stored, non-indexed) supported using atomic update syntax
A new LatLonPointSpatialField that uses points or doc values for query
It is now possible to declare a field as "large" in order to bypass the document cache
New sow=false request param (split-on-whitespace) for edismax & standard query parsers enables query-time multi-term synonyms
XML QueryParser (defType=xmlparser) now supports span queries
hl.maxAnalyzedChars now have consistent default across highlighters
UnifiedSolrHighlighter and PostingsSolrHighlighter now support CustomSeparatorBreakIterator
Scoring formula is adjusted for the scoreNodes function
Calcite Planner now applies constant Reduction Rules to optimize plans
A new significantTerms Streaming Expression that is able to extract the significant terms in an index
StreamHandler is now able to use runtimeLib jars
Arithmetic operations are added to the SelectStream
Added modernized self-documenting /v2 API
The .system collection is now created on first request if it does not exist
Admin UI: Added shard deletion button
Metrics API now supports non-numeric metrics (version, disk type, component state, system properties...)
The disk free and aggregated disk free metrics are now reported
The DirectUpdateHandler2 now implements MetricsProducer and exposes stats via the metrics api and configured reporters.
BlockCache is faster due to less failures when caching a new block
MMapDirectoryFactory now supports "preload" option to ask mapped pages to be loaded into physical memory on init
Security: BasicAuthPlugin now supports standalone mode
Arbitrary java system properties can be passed to zkcli
SolrHttpClientBuilder can be configured via java system property
Javadocs and Changes.html are no longer included in the binary distribution, but are hosted online

See the Solr CHANGES.txt files included with the release for a full list of details.

7 March 2017, Apache Solr™ 6.4.2 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.4.2.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.4.2 is available for immediate download at: https://solr.apache.org/downloads.html

Highlights of this Solr release include:

Fixed: Serious performance degradation in Solr 6.4 due to the metrics collection. IndexWriter metrics collection turned off by default, directory level metrics collection completely removed (until a better design is found)
Fixed: Transaction log replay can hit an NullPointerException due to new Metrics code
Fixed: NullPointerException in CloudSolrClient when reading stale alias
Fixed: UnifiedHighlighter and PostingsHighlighter bug in PrefixQuery and TermRangeQuery for multi-byte text

See the Solr CHANGES.txt files included with the release for a full list of details.

17 February 2017, Apache Solr Reference Guide for 6.4 Available ¶

The Lucene PMC is pleased to announce that the Solr Reference Guide for Solr 6.4 has been released.

This 763-page PDF is the definitive guide to using Apache Solr. It can be downloaded from:

https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-6.4.pdf

15 February 2017, Apache Solr™ 5.5.4 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 5.5.4.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 5.5.4 is available for immediate download at: https://solr.apache.org/downloads.html

Highlights of this Solr release include:

Better validation of filename params in ReplicationHandler
Upgraded commons-fileupload to 1.3.2, fixing a potential vulnerability CVE-2016-3092

See the Solr CHANGES.txt files included with the release for a full list of details.

15 February 2017, CVE-2017-3163: Apache Solr ReplicationHandler path traversal attack** ¶

CVE-2017-3163: Apache Solr ReplicationHandler path traversal attack

Severity: Moderate

Vendor:
The Apache Software Foundation

Versions Affected:
Solr 1.4 to 6.4.0

Description:
When using the Index Replication feature, Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access.

Mitigation:

6.x users should upgrade to 6.4.1
5.x users should upgrade to 5.5.4
4.x, 3.x and 1.4 users should upgrade to a supported version of Solr or setup proper firewalling, or disable the ReplicationHandler if not in use.

Credit:
This issue was discovered by Hrishikesh Gadre of Cloudera Inc.

References:

6 February 2017, Apache Solr™ 6.4.1 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.4.1.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.4.1 is available for immediate download at: https://solr.apache.org/downloads.html

Highlights of this Solr release include:

"Plugin/Stats" section of the UI doesn't display empty metric types
SOLR_SSL_OPTS was mistakenly overwritten in solr.cmd
Better validation of filename params in ReplicationHandler
Core swapping did not work with new metrics changes in place
Admin UI could not find DataImport handlers due to metrics changes
AnalyzingInfixSuggester/BlendedInfixSuggester now work with core reload

See the Solr CHANGES.txt files included with the release for a full list of details.

23 January 2017, Apache Solr™ 6.4.0 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.4.0.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.4.0 is available for immediate download at: https://solr.apache.org/downloads.html

Highlights of this Solr release include:

Streaming:

Addition of a HavingStream to Streaming API and Streaming Expressions
Addition of a priority Streaming Expression
Streaming expressions now support collection aliases

Machine Learning:

Configurable Learning-To-Rank (LTR) support: upload feature definitions, extract feature values, upload your own machine learnt models and use them to rerank search results.

Faceting:

Added "param" query type to facet domain filter specification to obtain filters via query parameters
Any facet command can be filtered using a new parameter filter. Example: { type:terms, field:category, filter:"user:yonik" }

Scripts / Command line:

A new command-line tool to manage the snapshots functionality
bin/solr and bin/solr.cmd now use mkroot command

SolrCloud / SolrJ

LukeResponse now supports dynamic fields
Solrj client now supports hierarchical clusters and other topics marker
Collection backup/restore are extensible.

Security:

Support Secure Impersonation / Proxy User for Solr authentication
Key Store type can be specified in solr.in.sh file for SSL
New generic authentication plugins: 'HadoopAuthPlugin' and 'ConfigurableInternodeAuthHadoopPlugin' that delegate all functionality to Hadoop authentication framework

Query / QueryParser / Highlighting:

A new highlighter: The Unified Highlighter. Try it via hl.method=unified; many popular highlighting parameters / features are supported. It's the highest performing highlighter, especially for large documents. Highlighting phrase queries and exotic queries are supported equally as well as the Original Highlighter (aka the default/standard one). Please use this new highlighter and report issues since it will likely become the default one day.
Leading wildcard in complexphrase query parser are now accepted and optimized with the ReversedWildcardFilterFactory when it's provided

Metrics:

Use metrics-jvm library to instrument jvm internals such as GC, memory usage and others.
A lot of metrics have been added to the collection: index merges, index store I/Os, query, update, core admin, core load thread pools, shard replication, tlog replay and replicas
A new /admin/metrics API to return all metrics collected by Solr via API.

Misc changes:

The new config parameter 'maxRamMB'can now limit the memory consumed by the FastLRUCache
A new document processor 'SkipExistingDocumentsProcessor' that skips duplicate inserts and ignores updates to missing docs
FieldCache information fetched via the mbeans handler or seen via the UI now displays the total size used.
A new config flag 'enable' allows to enable/disable any cache

Please note, this release cannot be built from source with Java 8 update 121, use an earlier version instead! This is caused by a bug introduced into the Javadocs tool shipped with that update. The workaround was too late for this Lucene release. Of course, you can use the binary artifacts.

See the Solr CHANGES.txt files included with the release for a full list of details.

16 November 2016, Apache Solr Reference Guide for 6.3 Available ¶

The Lucene PMC is pleased to announce that the Solr Reference Guide for Solr 6.3 has been released.

This 736-page PDF is the definitive guide to using Apache Solr. It can be downloaded from:

https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-6.3.pdf

8 November 2016, Apache Solr™ 6.3.0 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.3.0.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.3.0 is available for immediate download at: https://solr.apache.org/downloads.html

Highlights of this Solr release include:

DocValues, streaming, /export, machine learning

Optimize, store and deploy AI models in Solr
Ability to add custom streaming expressions
New streaming expressions such as "fetch", "executor", and "commit" added.
Parallel SQL accepts <, >, =, etc., symbols.
Support facet scoring with the scoreNodes expression
Retrieving docValues as stored values was sped up by using the proper leaf reader rather than ask for a global view. In extreme cases, this leads to a 100x speedup.

Faceting:

facet.method=enum can bypass exact counts calculation with facet.exists=true, it just returns 1 for terms which exists in result docset
Add "overrequest" parameter to JSON Facet API to control amount of overrequest on a distributed terms facet

Logging:

You can now set Solr's log level through environment variable SOLR_LOG_LEVEL
GC logs are rotated by JVM to a max of 9 files, and backed up via bin/solr scripts
Solr's logging verbosity at the INFO level has been greatly reduced by moving much logging to DEBUG level
The solr-8983-console.log file now only logs STDOUT and STDERR output, not all log4j logs as before
Solr's main log file, solr.log, is now written to SOLR_LOGS_DIR without changing log4j.properties

Start scripts:

Allow 180 seconds for shutdown before killing solr (configurable, old limit 5s) (Unix only)
Start scripts now exits with informative message if using wrong Java version
Fixed "bin/solr.cmd zk upconfig" command which was broken on windows
You can now ask for DEBUG logging simply with '-v' option, and for WARN logging with '-q' option

SolrCloud:

The DELETEREPLICA API can accept a 'count' parameter and remove "count" number of replicas from each shard if the shard name is not provided
The config API shows expanded useParams for request handlers inline
Ability to create/delete/list snapshots at collection level
The modify collection API now waits for the modified properties to show up in the cluster state before returning
Many bug fixes related to SolrCloud recovery for data safety and faster recovery times.

Security:

SolrJ now supports Kerberos delegation tokens
Pooled SSL connections were not being re-used. This is now fixed.
Fix for the blockUnknown property which made inter-node communication impossible
Support SOLR_AUTHENTICATION_OPTS and SOLR_AUTHENTICATION_CLIENT_CONFIGURER in windows bin/solr.cmd script
New parameter -u in bin/post to pass basicauth credentials

Misc changes:

Optimizations to lower memory allocations when indexing JSON as well as for replication between solr cloud nodes.
A new Excel workbook (.xlsx) response writer has been added. Use 'wt=xlsx' request parameter on a query request to enable.

See the Solr CHANGES.txt files included with the release for a full list of details.

20 September 2016, Apache Solr™ 6.2.1 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.2.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release includes 11 bug fixes since the 6.2.0 release. Some of the major fixes are:

SOLR-9490: BoolField always returning false for non-DV fields when javabin involved (via solrj, or intra node communication)
SOLR-9188: BlockUnknown property makes inter-node communication impossible
SOLR-9389: HDFS Transaction logs stay open for writes which leaks Xceivers
SOLR-9438: Shard split can fail to write commit data on shutdown leading to data loss

Furthermore, this release includes Apache Lucene 6.2.1 which includes 3 bug fixes since the 6.2.0 release.

The release is available for immediate download at: https://www.apache.org/dyn/closer.lua/lucene/solr/6.2.1

See the CHANGES.txt file included with the release for a detailed list of changes.

13 September 2016, Apache Solr Reference Guide for 6.2 available ¶

The Lucene PMC is pleased to announce that the Solr Reference Guide for Solr 6.2 has been released.

This 717-page PDF is the definitive guide to using Apache Solr. It can be downloaded from:

https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-6.2.pdf

9 September 2016, Apache Solr 5.5.3 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 5.5.3

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release includes 5 bug fixes since the 5.5.2 release.

This release specially contains 2 critical fixes: * The number of TCP connections in CLOSE_WAIT state do not spike during indexing, * PeerSync no longer fails on a node restart due to IndexFingerPrint mismatch.

The release is available for immediate download at: https://www.apache.org/dyn/closer.lua/lucene/solr/5.5.3

See the CHANGES.txt file included with the release for a detailed list of changes.

25 August 2016, Apache Solr 6.2.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.2.0.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.2.0 is available for immediate download at: https://solr.apache.org/downloads.html

Solr 6.2 Release Highlights:

DocValues, streaming, /export, machine learning

DocValues can now be used with BoolFields
Date and boolean support added to /export handler
Add "scoreNodes" streaming graph expression
Support parallel ETL with the "topic" expression
Feature selection and logistic regression on text via new streaming expressions: "features" and "train"

bin/solr script

Add basic auth support to the bin/solr script
File operations to/from Zookeeper are now supported

SolrCloud

New tag 'role' in replica placement rules, e.g. rule=role:!overseer keeps new repicas off overseer nodes
CDCR: fall back to whole-index replication when tlogs are insufficient
New REPLACENODE command to decommission an existing node and replace it with another new node
New DELETENODE command to delete all replicas on a node

Security

Add Kerberos delegation token support
Support secure impersonation / proxy user for Kerberos authentication

Misc changes

A large number of regressions were fixed in the new Admin UI
New boolean comparison function queries comparing numeric arguments: gt, gte, lt, lte, eq
Upgraded Extraction module to Apache Tika 1.13.
Updated to Hadoop 2.7.2

See the CHANGES.txt file included with the release for a detailed list of changes.

25 June 2016, Apache Solr 5.5.2 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 5.5.2

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release includes 38 bug fixes, documentation updates, etc., since the 5.5.1 release.

The release is available for immediate download at: https://www.apache.org/dyn/closer.lua/lucene/solr/5.5.2

See the CHANGES.txt file included with the release for a detailed list of changes.

17 June 2016, Apache Solr 6.1.0 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.1.0.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.1.0 is available for immediate download at: https://solr.apache.org/downloads.html

Solr 6.1 Release Highlights:

Added graph traversal support, and new "sort" and "random" streaming expressions. It's also now possible to create streaming expressions with the Solr Admin UI.
Fixed the ENUM faceting method to not be unnecessarily rewritten to FCS, which was causing slowdowns.
Reduced garbage creation when creating cache entries.
New [subquery] document transformer to obtatin related documents per result doc.
EmbeddedSolrServer allocates heap much wisely even with plain document list without callbacks.
New GeoJSON response writer for encoding geographic data in query responses.

See the CHANGES.txt file included with the release for a detailed list of changes.

28 May 2016, Apache Solr 6.0.1 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.0.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release includes 31 bug fixes, documentation updates, etc., since the 6.0.0 release.

The release is available for immediate download at: https://www.apache.org/dyn/closer.lua/lucene/solr/6.0.1

See the CHANGES.txt file included with the release for a detailed list of changes.

5 May 2016, Apache Solr 5.5.1 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 5.5.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 5.5.1 is available for immediate download at: https://www.apache.org/dyn/closer.lua/lucene/solr/5.5.1

This release contains a number of bug fixes for Solr, as well we Lucene.

See the CHANGES.txt file included with the release for a full list of details.

25 April 2016, Solr Reference Guide for 6.0 Available ¶

The Lucene PMC is pleased to announce the release of the Solr Reference Guide for 6.0.

The Guide has been extensively updated for Solr 6.0, with new sections on Parallel SQL and Cross Data Center Replication.

The 660 page PDF can be downloaded from https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-6.0.pdf.

8 April 2016, Apache Solr 6.0.0 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 6.0.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.0.0 is available for immediate download at: https://solr.apache.org/downloads.html

See the CHANGES.txt

Solr 6.0 Release Highlights:

Improved defaults for "Similarity" used in Solr, in order to provide better default experience for new users.
Improved "Similarity" defaults for users upgrading: DefaultSimilarityFactory has been removed, implicit default Similarity has been changed to SchemaSimilarityFactory, and SchemaSimilarityFactory has been modified to use BM25Similarity as the default for field types that do not explicitly declare a Similarity.
Deprecated GET methods for schema are now accessible through the bulk API. The output has less details and is not backward compatible.
Users should set useDocValuesAsStored="false" to preserve sort order on multi-valued fields that have both stored="true" and docValues="true".
Formatted date-times are more consistent with ISO-8601. BC dates are now better supported since they are now formatted with a leading '-'. AD years after 9999 have a leading '+'. Parse exceptions have been improved.
Deprecated SolrServer and subclasses have been removed, use SolrClient instead.
The deprecated configuration in solrconfig.xml has been removed. Users must remove it from solrconfig.xml.
SolrClient.shutdown() has been removed, use SolrClient.close() instead.
The deprecated zkCredientialsProvider element in solrcloud section of solr.xml is now removed. Use the correct spelling (zkCredentialsProvider) instead.
Added support for executing Parallel SQL queries across SolrCloud collections. Includes StreamExpression support and a new JDBC Driver for the SQL Interface.
New features and capabilities added to the streaming API.
Added support for SELECT DISTINCT queries to the SQL interface.
New GraphQuery to enable graph traversal as a query operator.
New support for Cross Data Center Replication consisting of active/passive replication for separate SolrClouds hosted in separate data centers.
Filter support added to Real-time get.
Column alias support added to the Parallel SQL Interface.
New command added to switch between non/secure mode in zookeeper.
Now possible to use IP fragments in replica placement rules.

22 February 2016, Apache Solr 5.5.0 and Reference Guide for 5.5 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 5.5.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 5.5.0 is available for immediate download at: https://solr.apache.org/downloads.html

See the CHANGES.txt file included with the release for a full list of details.

This is expected to be the last 5.x feature release before Solr 6.0.

Release Highlights:

The schema version has been increased to 1.6, and Solr now returns non-stored doc values fields along with stored fields
The PERSIST CoreAdmin action has been removed
The mergePolicy element is deprecated in favor of a similar mergePolicyFactory element, in solrconfig.xml
CheckIndex now works on HdfsDirectory
RuleBasedAuthorizationPlugin now allows wildcards in the role, and accepts an 'all' permission
Users can now choose compression mode in SchemaCodecFactory
Solr now supports Lucene's XMLQueryParser
Collections APIs now have async support
Uninverted field faceting is re-enabled, for higher performance on rarely changing indices

Also available is the Solr Reference Guide for Solr 5.5. This PDF serves as the definitive user's manual for Solr 5.5. It can be downloaded from the Apache mirror network: https://s.apache.org/Solr-Ref-Guide-PDF

8 February 2016, Apache Lucene/Solr development moves to GIT ¶

As of January 23rd 2016, Lucene/Solr source code is hosted in Apache's GIT repository. This means that the old SVN repository is now stale and should not be used. For information on working with git, please consult the Solr web site and the wiki.

The GitHub mirror remains at the same location as before, but the contents have changed. We now have one unified repo preserving the full history of both Lucene and Solr. If you had a GitHub fork, you will find that it has changed its "forked from" location, and any Pull Request will go to that other fork instead of to the Lucene developers. The only known solution is to delete your existing fork and re-fork from GitHub.

If you had active code changes and Pull Requests against our old GitHub mirror, please see the wiki for some suggestions on how to proceed.

The PMC is happy to answer any question you may have regarding this change.

23 January 2016, Apache Solr 5.3.2 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 5.3.2

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 5.3.2 is available for immediate download at: https://www.apache.org/dyn/closer.lua/lucene/solr/5.3.2

This release contains a number of bug fixes for Solr, as well we Lucene.

See the CHANGES.txt file included with the release for a full list of details.

23 January 2016, Apache Solr 5.4.1 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 5.4.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 5.4.1 is available for immediate download at: https://solr.apache.org/downloads.html

This release especially contains a fix for a faceting bug that could cause facet counts to include deleted documents and a fix for a corruption bug that was introduced in version 5.4.0. If you are on 5.4.0 and using BINARY, SORTED_NUMERIC or SORTED_SET doc values, upgrading to 5.4.1 is strongly recommended.

See the CHANGES.txt file included with the release for a full list of details.

15 December 2015, Apache Solr Reference Guide for 5.4 Available ¶

Hot on the heels of the Solr 5.4.0 release (see below), the Lucene PMC is pleased to announce the release of the Apache Solr Reference Guide for Solr 5.4.

This 598 page PDF file can be downloaded from https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/.

14 December 2015, Apache Solr 5.4.0 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 5.4.0

The release can be downloaded from https://solr.apache.org/downloads.html

Highlights of this Solr release include:

UI Changes

The rearchitected Admin UI is now prominently linked to from the existing UI, and includes support for managing collections as well as creating and removing fields via the schema tab. Expect it to be default in the next release.

API Features

New Collections APIs for migrating from clusterstate.json to per-collection state.json and forcing the election of a leader when all replicas in a shard are down.
A new configset management API has been added.

Querying Features

Filter cache is now accessible via a solr query syntax.
ScoreJoins can now refer to a single-sharded collection that is replicated on all nodes.
Add boost support, and 'exclude the queried document' in MoreLikeThis QParser.
Add a 'sort' local param to the collapse QParser to support using complex sort options to select the representitive doc for each collapsed group.

Other Features

SolrJ now has support for connecting to Solr using basic authentication.
Analyzing suggesters can now filter suggestions by a context field.
JSON Facet API: add "method" param to terms/field facets to give an execution hint for what method should be used to facet.
CloneFieldUpdateProcessorFactory now supports choosing a "dest" field name based on a regex pattern and replacement init options.
Provide pluggable context tool support for VelocityResponseWriter.

24 September 2015, Apache Solr 5.3.1 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 5.3.1

The release can be downloaded from https://solr.apache.org/downloads.html

Highlights of this Solr release include:

Bug Fixes

security.json is not loaded on server start
RuleBasedAuthorization plugin does not work for the collection-admin-edit permission
VelocityResponseWriter template encoding issue. Templates must be UTF-8 encoded
SimplePostTool (also bin/post) -filetypes "*" now works properly in 'web' mode
example/files update-script.js to be Java 7 and 8 compatible.
SolrJ could not make requests to handlers with '/admin/' prefix
Use of timeAllowed can cause incomplete filters to be cached and incorrect results to be returned on subsequent requests
VelocityResponseWriter's $resource.get(key,baseName,locale) to use specified locale.
Resolve XSS issue in Admin UI stats page

24 August 2015, Apache Solr 5.3.0 and Reference Guide for 5.3 available ¶

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 5.3.0 is available for immediate download at: https://solr.apache.org/downloads.html

Solr 5.3 Release Highlights:

In addition to many other improvements in the security framework, Solr now includes an AuthenticationPlugin implementing HTTP Basic Auth that stores credentials securely in ZooKeeper. This is a simple way to require a username and password for anyone accessing Solr’s admin screen or APIs.
In built AuthorizationPlugin that provides fine grained control over implementing ACLs for various resources with permisssion rules which are stored in ZooKeeper.
The JSON Facet API can now change the domain for facet commands, essentially doing a block join and moving from parents to children, or children to parents before calculating the facet data.
Major improvements in performance of the new Facet Module / JSON Facet API.
Query and Range Facets under Pivot Facets. Just like the JSON Facet API, pivot facets can how nest other facet types such as range and query facets.
More Like This Query Parser options. The MoreLikeThis QParser now supports all options provided by the MLT Handler. The query parser is much more versatile than the handler as it works in cloud mode as well as anywhere a normal query can be specified.
Added Schema API support in SolrJ
Added Scoring mode for query-time join and block join.
Added Smile response format

See the CHANGES.txt file included with the release for a full list of details.

Please report any feedback to the mailing lists

15 June 2015, Apache Solr 5.2.1 available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 5.2.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release contains various bug fixes and optimizations since the 5.2.0 release. The release is available for immediate download at: https://solr.apache.org/downloads.html

See the CHANGES.txt file included with the release for a full list of details.

Solr 5.2.1 includes 8 bug fixes and 2 other changes.

Release Highlights:

Fix javascript bug introduced by SOLR-7409 that breaks the dataimport screen in the admin UI
Faceting on a numeric field with a unique() subfacet function on another numeric field can result in incorrect results or an exception
New Facet Module should respect shards.tolerant and process all non-failing shards instead of throwing an exception
A request with a json content type but no body caused a null pointer exception
SolrOutputFormat creates an invalid solr.xml in the solr home zip for MapReduceIndexerTool
Fix new (Angular-based) admin UI Cloud pane
The DefaultSolrHighlighter since 5.0 was determining if payloads were present in a way that was slow, especially when lots of fields were highlighted. It's now fast
Requests are not distributed evenly if the collection isn't present locally

See the CHANGES.txt file included with the release for a full list of changes and further details.

Please report any feedback to the mailing lists

7 June 2015, Apache Solr 5.2.0 and Reference Guide for 5.2 available ¶

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 5.2.0 is available for immediate download at: https://solr.apache.org/downloads.html

See the CHANGES.txt file included with the release for a full list of details.

Solr 5.2.0 Release Highlights:

Restore API allows restoring a core from an index backup.
JSON Facet API
- unique() is now implemented for numeric and date fields
- Optional flatter form via a "type" parameter
- Added support for "mincount" parameter in range facets to suppress buckets less than that count
- Multi-select faceting support for the Facet Module via the "excludeTags" parameter which disregards any matching tagged filters for that facet.
- hll() facet function for distributed cardinality via HyperLogLog algorithm. See examples at http://yonik.com/solr-count-distinct/
A new "facet.range.method" parameter to let users choose how to do range faceting between an implementation based on filters (previous algorithm, using "facet.range.method=filter") or DocValues ("facet.range.method=dv")
Rule-based Replica assignment during collection, shard, and replica creation.
Stats component:
- New 'cardinality' option for stats.field, uses HyperLogLog to efficiently estimate the cardinality of a field w/bounded RAM. Blog post: https://lucidworks.com/blog/hyperloglog-field-value-cardinality-stats/
- stats.field now supports individual local params for 'countDistinct' and 'distinctValues'. 'calcdistinct' is still supported as an alias for both options.
Solr security
- Authentication and Authorization frameworks that define interfaces, and mechanisms to create, load, and use authorization/authentication plugins have been added.
- A Kerberos authentication plugin which would allow running a Kerberized Solr setup.
Solr Streaming Expressions See https://cwiki.apache.org/confluence/display/solr/Streaming+Expressions
bin/post (and SimplePostTool in -Dauto=yes mode) now sends rather than skips files without a known content type, as "application/octet-stream", provided it still is in the allowed filetypes setting.
HDFS transaction log replication factor is now configurable
A cluster-wide property can now be be added/edited/deleted using the zkcli script and doesn't require a running Solr instance.
New spatial RptWithGeometrySpatialField, based on CompositeSpatialStrategy, which blends RPT indexes for speed with serialized geometry for accuracy. Includes a Lucene segment based in-memory shape cache.
Refactored Admin UI using AngularJS. It isn't the default, but a parallel UI interface in this release.
Solr has internally been upgraded to use Jetty 9.

Solr 5.2.0 also includes many other new features as well as numerous optimizations and bugfixes of the corresponding Apache Lucene release.

Also available is the Solr Reference Guide for Solr 5.2. This 591 page PDF serves as the definitive user's manual for Solr 5.2. It can be downloaded from the Apache mirror network: https://s.apache.org/Solr-Ref-Guide-PDF

22 April 2015, Apache Solr Reference Guide Available ¶

The Lucene PMC is pleased to announce the availability of the Apache Solr Reference Guide for Solr 5.1.

This 578 page PDF serves is the definitive user's manual for Solr. For this version, we've updated the Guide for several new features and changes and given the PDF a bit of a facelift for easier reading.

The Guide can be downloaded from https://www.apache.org/dyn/closer.lua/lucene/solr/ref-guide/apache-solr-ref-guide-5.1.pdf.

14 April 2015, Apache Solr 5.1.0 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 5.1.0.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 5.1.0 is available for immediate download at: https://www.apache.org/dyn/closer.lua/lucene/solr/5.1.0

Solr 5.1.0 includes 39 new features, 40 bug fixes, and 36 optimizations / other changes from over 60 unique contributors.

See the CHANGES.txt file included with the release for a full list of details.

5 March 2015, Apache Solr 4.10.4 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 4.10.4

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 4.10.4 is available for immediate download at: https://www.apache.org/dyn/closer.lua/lucene/solr/4.10.4

Solr 4.10.4 includes 24 bug fixes as well as Lucene 4.10.4 and its 13 bug fixes.

See the CHANGES.txt file included with the release for a full list of details.

20 February 2015, Apache Solr 5.0.0 and Reference Guide for 5.0 available ¶

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 5.0 is available for immediate download at: https://solr.apache.org/downloads.html

See the CHANGES.txt file included with the release for a full list of details.

Solr 5.0 Release Highlights:

Usability improvements that include improved bin scripts and new and restructured examples.
Scripts to support installing and running Solr as a service on Linux.
Distributed IDF is now supported and can be enabled via the config. Currently, there are four supported implementations for the same:
- LocalStatsCache: Local document stats.
- ExactStatsCache: One time use aggregation
- ExactSharedStatsCache: Stats shared across requests
- LRUStatsCache: Stats shared in an LRU cache across requests
Solr will no longer ship a war file and instead be a downloadable application.
SolrJ now has first class support for Collections API.
Implicit registration of replication,get and admin handlers.
Config API that supports paramsets for easily configuring solr parameters and configuring fields. This API also supports managing of pre-existing request handlers and editing common solrconfig.xml via overlay.
API for managing blobs allows uploading request handler jars and registering them via config API.
BALANCESHARDUNIQUE Collection API that allows for even distribution of custom replica properties.
There's now an option to not shuffle the nodeSet provided during collection creation.
Option to configure bandwidth usage by Replication handler to prevent it from using up all the bandwidth.
Splitting of clusterstate to per-collection enables scalability improvement in SolrCloud. This is also the default format for new Collections that would be created going forward.
timeAllowed is now used to prematurely terminate requests during query expansion and SolrClient request retry.
pivot.facet results can now include nested stats.field results constrained by those pivots.
stats.field can be used to generate stats over the results of arbitrary numeric functions. It also allows for requesting for statistics for pivot facets using tags.
A new DateRangeField has been added for indexing date ranges, especially multi-valued ones.
Spatial fields that used to require units=degrees now take distanceUnits=degrees/kilometers miles instead.
MoreLikeThis query parser allows requesting for documents similar to an existing document and also works in SolrCloud mode.
Logging improvements:
- Transaction log replay status is now logged
- Optional logging of slow requests.

Solr 5.0 also includes many other new features as well as numerous optimizations and bugfixes of the corresponding Apache Lucene release.

Also available is the Solr Reference Guide for Solr 5.0. This 535 page PDF serves as the definitive user's manual for Solr 5.0. It can be downloaded from the Apache mirror network: https://s.apache.org/Solr-Ref-Guide-PDF

29 December 2014, Apache Solr 4.10.3 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 4.10.3

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 4.10.3 is available for immediate download at: https://solr.apache.org/downloads.html

Solr 4.10.3 includes 21 bug fixes, 5 other changes, as well as Lucene 4.10.3 and its 12 bug fixes.

This release fixes the following security vulnerability that has affected Solr since the Solr 4.0 Alpha release.

CVE-2014-3628: Stored XSS vulnerability in Solr Admin UI.

Information disclosure: The Solr Admin UI Plugin / Stats page does not escape data values which allows an attacker to execute javascript by executing a query that will be stored and displayed via the 'fieldvaluecache' object.

See the CHANGES.txt file included with the release for a full list of details, and Happy Holidays!

31 October 2014, Apache Solr 4.10.2 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 4.10.2

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 4.10.2 is available for immediate download at: https://solr.apache.org/downloads.html

Solr 4.10.2 includes 10 bug fixes, as well as Lucene 4.10.2 and its 2 bug fixes.

See the CHANGES.txt file included with the release for a full list of details, and Happy Halloween!

29 September 2014, Apache Solr 4.10.1 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 4.10.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 4.10.1 is available for immediate download at: https://solr.apache.org/downloads.html

Solr 4.10.1 includes 6 bug fixes, as well as Lucene 4.10.1 and its 7 bug fixes.

See the CHANGES.txt file included with the release for a full list of details.

22 September 2014, Apache Solr 4.9.1 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 4.9.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 4.9.1 is available for immediate download at: https://solr.apache.org/downloads.html

Solr 4.9.1 includes 2 bug fixes, as well as Lucene 4.9.1 and its 7 bug fixes.

See the CHANGES.txt file included with the release for a full list of details.

7 September 2014, Apache Solr Ref Guide for 4.10 Available ¶

The Lucene PMC is pleased to announce that there is a new version of the Solr Reference Guide for Solr 4.10.

The 511 page PDF serves as the definitive user's manual for Solr 4.10. It can be downloaded from the Apache mirror network: https://www.apache.org/dyn/closer.lua/lucene/solr/ref-guide/.

3 September 2014, Apache Solr 4.10.0 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 4.10.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 4.10.0 is available for immediate download at: https://solr.apache.org/downloads.html

See the CHANGES.txt file included with the release for a full list of details.

Solr 4.10.0 Release Highlights:

This release upgrades Solr Cell's (contrib/extraction) dependency on Apache POI to mitigate 2 security vulnerabilities.
Scripts for starting, stopping, and running Solr examples
Distributed query support for facet.pivot
Interval Faceting for Doc Values fields
New "terms" QParser for efficiently filtering documents by a list of values

18 August 2014, Recommendation to update Apache POI in Apache Solr 4.8.0, 4.8.1, and 4.9.0 installations ¶

Apache Solr versions 4.8.0, 4.8.1, 4.9.0 bundle Apache POI 3.10-beta2 with its binary release tarball. This version (and all previous ones) of Apache POI are vulnerable to the following issues:

CVE-2014-3529: XML External Entity (XXE) problem in Apache POI's OpenXML parser

Information disclosure: Apache POI uses Java's XML components to parse OpenXML files produced by Microsoft Office products (DOCX, XLSX, PPTX,...). Applications that accept such files from end-users are vulnerable to XML External Entity (XXE) attacks, which allows remote attackers to bypass security restrictions and read arbitrary files via a crafted OpenXML document that provides an XML external entity declaration in conjunction with an entity reference.

CVE-2014-3574: XML Entity Expansion (XEE) problem in Apache POI's OpenXML parser

Denial of service: Apache POI uses Java's XML components and Apache Xmlbeans to parse OpenXML files produced by Microsoft Office products (DOCX, XLSX, PPTX,...). Applications that accept such files from end-users are vulnerable to XML Entity Expansion (XEE) attacks ("XML bombs"), which allows remote hackers to consume large amounts of CPU resources.

The Apache POI PMC released a bugfix version (3.10.1) today.

Solr users are affected by these issues, if they enable the "Apache Solr Content Extraction Library (Solr Cell)" contrib module from the folder "contrib/extraction" of the release tarball.

Users of Apache Solr are strongly advised to keep the module disabled if they don't use it. Alternatively, users of Apache Solr 4.8.0, 4.8.1, or 4.9.0 can update the affected libraries by replacing the vulnerable JAR files in the distribution folder. Users of previous versions have to update their Solr release first, patching older versions is impossible.

To replace the vulnerable JAR files follow these steps:

Download the Apache POI 3.10.1 binary release.
Unzip the archive.
Delete the following files in your "solr-4.X.X/contrib/extraction/lib" folder:
- poi-3.10-beta2.jar
- poi-ooxml-3.10-beta2.jar
- poi-ooxml-schemas-3.10-beta2.jar
- poi-scratchpad-3.10-beta2.jar
- xmlbeans-2.3.0.jar
Copy the following files from the base folder of the Apache POI distribution to the "solr-4.X.X/contrib/extraction/lib" folder:
- poi-3.10.1-20140818.jar
- poi-ooxml-3.10.1-20140818.jar
- poi-ooxml-schemas-3.10.1-20140818.jar
- poi-scratchpad-3.10.1-20140818.jar
Copy "xmlbeans-2.6.0.jar" from POI's "ooxml-lib/" folder to the "solr-4.X.X/contrib/extraction/lib" folder.
Verify that the "solr-4.X.X/contrib/extraction/lib" no longer contains any files with version number "3.10-beta2".
Verify that the folder contains one xmlbeans JAR file with version 2.6.0.

If you just want to disable extraction of Microsoft Office documents, delete the files above and don't replace them. "Solr Cell" will automatically detect this and disable Microsoft Office document extraction.

Coming versions of Apache Solr will have the updated libraries bundled.

18 August 2014, CVE-2014-3529, CVE-2014-3574: Recommendation to update Apache POI in Apache Solr 4.8.0, 4.8.1, and 4.9.0 installations ¶

Apache Solr versions 4.8.0, 4.8.1, 4.9.0 bundle Apache POI 3.10-beta2 with its binary release tarball. This version (and all previous ones) of Apache POI are vulnerable to the following issues:

CVE-2014-3529: XML External Entity (XXE) problem in Apache POI's OpenXML parser

CVE-2014-3574: XML Entity Expansion (XEE) problem in Apache POI's OpenXML parser

The Apache POI PMC released a bugfix version (3.10.1) today.

Solr users are affected by these issues, if they enable the "Apache Solr Content Extraction Library (Solr Cell)" contrib module from the folder "contrib/extraction" of the release tarball.

To replace the vulnerable JAR files follow these steps:

Download the Apache POI 3.10.1 binary release.
Unzip the archive.
Delete the following files in your "solr-4.X.X/contrib/extraction/lib" folder:
- poi-3.10-beta2.jar
- poi-ooxml-3.10-beta2.jar
- poi-ooxml-schemas-3.10-beta2.jar
- poi-scratchpad-3.10-beta2.jar
- xmlbeans-2.3.0.jar
Copy the following files from the base folder of the Apache POI distribution to the "solr-4.X.X/contrib/extraction/lib" folder:
- poi-3.10.1-20140818.jar
- poi-ooxml-3.10.1-20140818.jar
- poi-ooxml-schemas-3.10.1-20140818.jar
- poi-scratchpad-3.10.1-20140818.jar
Copy "xmlbeans-2.6.0.jar" from POI's "ooxml-lib/" folder to the "solr-4.X.X/contrib/extraction/lib" folder.
Verify that the "solr-4.X.X/contrib/extraction/lib" no longer contains any files with version number "3.10-beta2".
Verify that the folder contains one xmlbeans JAR file with version 2.6.0.

Coming versions of Apache Solr will have the updated libraries bundled.

30 June 2014, Apache Solr Ref Guide for 4.9 Available ¶

The Lucene PMC is pleased to announce that there is a new version of the Solr Reference Guide for Solr 4.9.

The 408 page PDF serves as the definitive user's manual for Solr 4.9. It can be downloaded from the Apache mirror network: https://www.apache.org/dyn/closer.lua/lucene/solr/ref-guide/.

25 June 2014, Apache Solr 4.9.0 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 4.9.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 4.9.0 is available for immediate download at: https://solr.apache.org/downloads.html

See the CHANGES.txt file included with the release for a full list of details.

Solr 4.9.0 Release Highlights:

Numerous optimizations for doc values search-time performance
Allow a client application to request the minium achieved replication factor for an update request (single or batch) by sending an optional parameter "min_rf".
Query re-ranking support with the new ReRankingQParserPlugin.
A new [child ...] DocTransformer for optionally including Block-Join decendent documents inline in the results of a search.
A new (default) Lucene49NormsFormat to better compress certain cases such as very short fields.

20 May 2014, Apache Solr 4.8.1 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 4.8.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 4.8.1 is available for immediate download at: https://solr.apache.org/downloads.html

Solr 4.8.1 includes 10 bug fixes, as well as Lucene 4.8.1 and its bug fixes.

See the CHANGES.txt file included with the release for a full list of details.

2 May 2014, Apache Solr Ref Guide for 4.8 Available ¶

The Lucene PMC is pleased to announce that there is a new version of the Solr Reference Guide available for Solr 4.8.

The 396 page PDF serves as the definitive user's manual for Solr 4.8. It can be downloaded from the Apache mirror network: https://www.apache.org/dyn/closer.lua/lucene/solr/ref-guide/

28 April 2014, Apache Solr 4.8.0 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 4.8.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 4.8.0 is available for immediate download at: https://solr.apache.org/downloads.html

See the CHANGES.txt file included with the release for a full list of details.

Solr 4.8.0 Release Highlights:

Apache Solr now requires Java 7 or greater (recommended is Oracle Java 7 or OpenJDK 7, minimum update 55; earlier versions have known JVM bugs affecting Solr).
Apache Solr is fully compatible with Java 8.
<fields> and <types> tags have been deprecated from schema.xml. There is no longer any reason to keep them in the schema file, they may be safely removed. This allows intermixing of <fieldType>, <field> and <copyField> definitions if desired.
The new {!complexphrase} query parser supports wildcards, ORs etc. inside Phrase Queries.
New Collections API CLUSTERSTATUS action reports the status of collections, shards, and replicas, and also lists collection aliases and cluster properties.
Added managed synonym and stopword filter factories, which enable synonym and stopword lists to be dynamically managed via REST API.
JSON updates now support nested child documents, enabling {!child} and {!parent} block join queries.
Added ExpandComponent to expand results collapsed by the CollapsingQParserPlugin, as well as the parent/child relationship of nested child documents.
Long-running Collections API tasks can now be executed asynchronously; the new REQUESTSTATUS action provides status.
Added a hl.qparser parameter to allow you to define a query parser for hl.q highlight queries.
In Solr single-node mode, cores can now be created using named configsets.
New DocExpirationUpdateProcessorFactory supports computing an expiration date for documents from the "TTL" expression, as well as automatically deleting expired documents on a periodic basis.

Solr 4.8.0 also includes many other new features as well as numerous optimizations and bugfixes of the corresponding Apache Lucene release.

15 April 2014, Apache Solr 4.7.2 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 4.7.2

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 4.7.2 is available for immediate download at: https://solr.apache.org/downloads.html

Solr 4.7.2 includes 2 bug fixes, as well as Lucene 4.7.2 and its bug fixes.

See the CHANGES.txt file included with the release for a full list of details.

2 April 2014, Apache Solr 4.7.1 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 4.7.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 4.7.1 is available for immediate download at: https://solr.apache.org/downloads.html

Solr 4.7.1 includes 28 bug fixes and one new configuration setting, as well as Lucene 4.7.1 and its bug fixes.

See the CHANGES.txt file included with the release for a full list of details.

12 March 2014, Apache Solr 4.8 will require Java 7 ¶

The Apache Solr committers decided with a large majority on the vote to require Java 7 for the next minor release of Apache Solr (version 4.8)!

The next release will also contain some improvements for Java 7:

Better file handling (especially on Windows) in the directory implementations. Files can now be deleted on windows, although the index is still open - like it was always possible on Unix environments (delete on last close semantics).
Speed improvements in sorting comparators: Sorting now uses Java 7's own comparators for integer and long sorts, which are highly optimized by the Hotspot VM.

If you want to stay up-to-date with Lucene and Solr, you should upgrade your infrastructure to Java 7. Please be aware that you must use at least use Java 7u1. The recommended version at the moment is Java 7u25. Later versions like 7u40, 7u45,... have a bug causing index corrumption. Ideally use the Java 7u60 prerelease, which has fixed this bug. Once 7u60 is out, this will be the recommended version. In addition, there is no more Oracle/BEA JRockit available for Java 7, use the official Oracle Java 7. JRockit was never working correctly with Lucene/Solr (causing index corrumption), so this should not be an issue. Please also review our list of JVM bugs: http://wiki.apache.org/lucene-java/JavaBugs

EDIT (as of 15 April 2014): The recently released Java 7u55 fixes the above bug causing index corrumption. This version is now the recommended version for running Apache Solr.

5 March 2014, Apache Solr Ref Guide for 4.7 Available ¶

The Lucene PMC is pleased to announce that there is a new version of the Solr Reference Guide available for Solr 4.7.

The 395 page PDF serves as the definitive user's manual for Solr 4.7. It can be downloaded from the Apache mirror network: https://www.apache.org/dyn/closer.lua/lucene/solr/ref-guide/

26 February 2014, Apache Solr 4.7.0 Available ¶

The Lucene PMC is pleased to announce the release of Apache Solr 4.7

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 4.7 is available for immediate download at: https://solr.apache.org/mirrors-solr-latest-redir.html

See the CHANGES.txt file included with the release for a full list of details.

Solr 4.7 Release Highlights:

A new migrate collection API to split all documents with a route key into another collection.
Added support for tri-level compositeId routing.
Admin UI - Added a new Files conf directory browser/file viewer.
Add a QParserPlugin for Lucene's SimpleQueryParser.
Suggest improvements: a new SuggestComponent that fully utilizes the Lucene suggester module; queries can now use multiple suggesters; Lucene's FreeTextSuggester and BlendedInfixSuggester are now supported.
New cursorMark request param for efficient deep paging of sorted result sets. See http://s.apache.org/cursorpagination
Add a Solr contrib that allows for building Solr indexes via Hadoop's MapReduce.
Upgrade to Spatial4j 0.4. Various new options are now exposed automatically for an RPT field type. See Spatial4j CHANGES & javadocs. https://github.com/spatial4j/spatial4j/blob/master/CHANGES.md
SSL support for SolrCloud.

Solr 4.7 also includes many other new features as well as numerous optimizations and bugfixes.

Solr™ News¶

25 October 2024, Solr 8 reaches End-Of-Life ¶

14 October 2024, CVE-2024-45216: Apache Solr: Authentication bypass possible using a fake URL Path ending ¶

14 October 2024, CVE-2024-45217: Apache Solr: ConfigSets created during a backup restore command are trusted implicitly ¶

24 September 2024, Apache Solr™ 8.11.4 available ¶

Solr 8.11.4 Release Highlights:

9 September 2024, Apache Solr™ 9.7.0 available ¶

Solr 9.7.0 Release Highlights

29 May 2024, Apache Solr™ 9.6.1 available ¶

Solr 9.6.1 Release Highlights:

27 April 2024, Apache Solr™ 9.6.0 available ¶

Solr 9.6.0 Release Highlights:

12 April 2024, CVE-2024-31391: Solr-Operator liveness and readiness probes may leak basic auth credentials ¶

12 February 2024, Apache Solr™ 9.5.0 available ¶

Solr 9.5.0 Release Highlights:

8 February 2024, Apache Solr™ 8.11.3 available ¶

Solr 8.11.3 Release Highlights:

Security

Bugfixes

Features

8 February 2024, CVE-2023-50291: Apache Solr can leak certain passwords due to System Property redaction logic inconsistencies ¶

8 February 2024, CVE-2023-50292: Apache Solr Schema Designer blindly "trusts" all configsets, possibly leading to RCE by unauthenticated users ¶

8 February 2024, CVE-2023-50298: Apache Solr can expose ZooKeeper credentials via Streaming Expressions ¶

8 February 2024, CVE-2023-50386: Apache Solr: Backup/Restore APIs allow for deployment of executables in malicious ConfigSets ¶

18 January 2024, Apache Solr™ 9.4.1 available ¶

Solr 9.4.1 Release Highlights:

12 January 2024, CVE-2023-50290: Apache Solr allows read access to host environment variables ¶

15 October 2023, Apache Solr™ 9.4.0 available ¶

Solr 9.4.0 Release Highlights:

21 July 2023, Apache Solr™ 9.3.0 available ¶

Solr 9.3.0 Release Highlights:

1 May 2023, Apache Solr™ 9.2.1 available ¶

Solr 9.2.1 Release Highlights:

24 March 2023, Apache Solr™ 9.2.0 available ¶

Solr 9.2.0 Release Highlights:

25 January 2023, Apache Solr™ 9.1.1 available ¶

Solr 9.1.1 Release Highlights:

20 November 2022, Apache Solr is vulnerable to CVE-2022-39135 via /sql handler ¶

17 November 2022, Apache Solr™ 9.1.0 available ¶

Solr 9.1.0 Release Highlights:

21 October 2022, Java 17 bug affecting Solr ¶

20 October 2022, Solr 8 Docker image changes to Eclipse Temurin JDK ¶

20 October 2022, Solr Docker images now pin the Linux release ¶

17 June 2022, Apache Solr™ 8.11.2 available ¶

Solr 8.11.2 Release Highlights:

12 May 2022, Apache Solr™ 9.0.0 available ¶

Solr 9.0.0 Release Highlights:

Querying and Indexing

Security

Stability and Scalability

Build and Docker

Deprecations and Removals

Other

18 December 2021, CVE-2021-44548: Apache Solr information disclosure vulnerability through DataImportHandler ¶

16 December 2021, Apache Solr™ 8.11.1 available ¶

Solr 8.11.1 Release Highlights:

10 December 2021, Apache Solr affected by Apache Log4J CVE-2021-44228 ¶

16 November 2021, Apache Solr™ 8.11.0 available ¶

Solr 8.11.0 Release Highlights:

Security

18 October 2021, Apache Solr™ 8.10.1 available ¶

Solr 8.10.1 Release Highlights:

Dependencies upgrades

27 September 2021, Apache Solr™ 8.10.0 available ¶

Solr 8.10.0 Release Highlights:

Backup / Restore

Schema Designer UI

Security UI

SQL Improvements

16 June 2021, Apache Solr™ 8.9.0 available ¶

Solr 8.9.0 Release Highlights:

12 April 2021, Apache Solr™ 8.8.2 available ¶

Solr 8.8.2 Release Highlights:

12 April 2021, CVE-2021-27905: SSRF vulnerability with the Replication handler ¶

12 April 2021, CVE-2021-29262: Misapplied Zookeeper ACLs can result in leakage of configured authentication and authorization settings ¶

12 April 2021, CVE-2021-29943: Apache Solr Unprivileged users may be able to perform unauthorized read/write to collections ¶

22 February 2021, Apache Solr™ 8.8.1 available ¶

Solr 8.8.1 Release Highlights:

17 February 2021, Apache Solr becomes an Apache TLP ¶

What's the background?

Solr^™ News¶