CVE-2019-12401

Name of the Vulnerable Software and Affected Versions Solr versions 1.3.0 through 1.4.1 Solr versions 3.1.0 through 3.6.2 Solr versions 4.0.0 through 4.10.4 Solr versions prior to 5.0.0

Description The issue allows for an XML resource consumption attack, also known as a Lol Bomb, via the update handler. By using XML DOCTYPE and ENTITY type elements, an attacker can create a pattern that expands when the server parses the XML, causing out-of-memory (OOM) errors.

Recommendations For Solr versions 1.3.0 through 1.4.1, update to version 5.0.0 or later. For Solr versions 3.1.0 through 3.6.2, update to version 5.0.0 or later. For Solr versions 4.0.0 through 4.10.4, update to version 5.0.0 or later. For Solr versions prior to 5.0.0, update to version 5.0.0 or later. As a temporary workaround, consider restricting access to the update handler until a patch is available.