Upgrade to Solr 9.10 with external Tika server (CVE-2025-66516 fix)

reekitconcept · reekitconcept · commit 4d2f05f4db1a · 2025-12-09T16:00:18.000+01:00
- Upgrade Solr from 8 to 9.10 - Add external Tika server (3.2.3) to mitigate CVE-2025-66516 - Update solrconfig.xml for Solr 9 compatibility (luceneMatchVersion 9.12) - Configure extraction handler to use external Tika server - Remove deprecated local Tika library loading - Add Makefile targets for solr-activate-and-reindex
diff --git a/Makefile b/Makefile
@@ -182,6 +182,50 @@ stack-rm:  ## Local Stack: Remove Services and Volumes
 	@echo "Remove local volume data"
 	@docker volume rm $(PROJECT_NAME)_vol-site-data
 
+
+###########################################
+# SOLR
+###########################################
+
+BACKEND_FOLDER=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
+
+SOLR_DATA_FOLDER?=${BACKEND_FOLDER}/data
+SOLR_ONLY_COMPOSE?=${BACKEND_FOLDER}/docker-compose.yml
+
+## Solr docker utils
+test-stack-name:
+	# The STACK_NAME env variable must exist and discriminate between your projects,
+	# and the purpose of the container (_DEV, _STACK, _TEST)
+	test -n "$(STACK_NAME)"
+
+.PHONY: solr-start
+solr-start: test-stack-name ## Start solr
+	@echo "Start solr"
+	@COMPOSE_PROJECT_NAME=${STACK_NAME} docker compose -f ${STACK_FILE} up -d solr tika
+
+.PHONY: solr-start-fg
+solr-start-fg: test-stack-name ## Start solr in foreground
+	@echo "Start solr in foreground"
+	@COMPOSE_PROJECT_NAME=${STACK_NAME} docker compose -f ${STACK_FILE} up solr tika
+
+.PHONY: solr-stop
+solr-stop: test-stack-name ## Stop solr
+	@echo "Stop solr"
+	@COMPOSE_PROJECT_NAME=${STACK_NAME} docker compose -f ${STACK_FILE} down solr tika
+
+.PHONY: solr-logs
+solr-logs: test-stack-name ## Show solr logs
+	@echo "Show solr logs"
+	@COMPOSE_PROJECT_NAME=${STACK_NAME} docker compose -f ${STACK_FILE} logs -f solr
+
+.PHONY: solr-activate-and-reindex
+solr-activate-and-reindex: ## Activate solr and reindex content
+	$(MAKE) -C "./backend/" solr-activate-and-reindex
+
+.PHONY: solr-activate-and-reindex-clear
+solr-activate-and-reindex-clear: ## Activate solr and reindex content with clear
+	$(MAKE) -C "./backend/" solr-activate-and-reindex-clear
+
 ###########################################
 # Acceptance
 ###########################################
diff --git a/backend/Makefile b/backend/Makefile
@@ -94,6 +94,14 @@ console: $(VENV_FOLDER) instance/etc/zope.ini ## Start a console into a Plone in
 create-site: $(VENV_FOLDER) instance/etc/zope.ini ## Create a new site from scratch
 	@$(BIN_FOLDER)/zconsole run instance/etc/zope.conf ./scripts/create_site.py
 
+.PHONY: solr-activate-and-reindex
+solr-activate-and-reindex: $(VENV_FOLDER) instance/etc/zope.ini ## Activate solr and reindex content
+	@PYTHONWARNINGS=ignore $(BIN_FOLDER)/zconsole run instance/etc/zope.conf ./scripts/solr_activate_and_reindex.py
+
+.PHONY: solr-activate-and-reindex-clear
+solr-activate-and-reindex-clear: $(VENV_FOLDER) instance/etc/zope.ini ## Activate solr and reindex content with clear
+	@PYTHONWARNINGS=ignore $(BIN_FOLDER)/zconsole run instance/etc/zope.conf ./scripts/solr_activate_and_reindex.py --clear
+
 # Example Content
 .PHONY: update-example-content
 update-example-content: $(VENV_FOLDER) ## Export example content inside package
diff --git a/backend/news/+fix-tikka-sec-vulnerability.bugfix b/backend/news/+fix-tikka-sec-vulnerability.bugfix
@@ -0,0 +1 @@
+Upgrade to Solr 9.10 with external Tika server 3.2.3 to fix CVE-2025-66516. @reebalazs
diff --git a/backend/src/kitconcept/solr/profiles/default/metadata.xml b/backend/src/kitconcept/solr/profiles/default/metadata.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <metadata>
-  <version>1000</version>
+  <version>1001</version>
   <dependencies>
     <dependency>profile-collective.solr:default</dependency>
   </dependencies>
diff --git a/backend/src/kitconcept/solr/profiles/default/registry/collective.solr.xml b/backend/src/kitconcept/solr/profiles/default/registry/collective.solr.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8"?>
+<registry>
+
+  <record name="collective.solr.use_tika">
+    <value>True</value>
+  </record>
+
+</registry>
diff --git a/backend/src/kitconcept/solr/upgrades/configure.zcml b/backend/src/kitconcept/solr/upgrades/configure.zcml
@@ -4,4 +4,15 @@
     i18n_domain="kitconcept.solr"
     >
 
+  <genericsetup:upgradeSteps
+      profile="kitconcept.solr:default"
+      source="1000"
+      destination="1001"
+      >
+    <genericsetup:upgradeDepends
+        title="Enable use_tika in collective.solr for external Tika server"
+        import_steps="plone.app.registry"
+        />
+  </genericsetup:upgradeSteps>
+
 </configure>
diff --git a/docker-compose-ci.yml b/docker-compose-ci.yml
@@ -7,16 +7,27 @@ name: kitconcept-solr-ci
 
 services:
 
+  tika-acceptance:
+    image: apache/tika:3.2.3.0-full
+    profiles: ["ci"]
+    ports:
+      - 9998:9998
+
   solr-acceptance:
     build:
       context: ./solr
     profiles: ["ci"]
+    depends_on:
+      - tika-acceptance
     ports:
       - 8983:8983
     command:
       - solr-precreate
       - plone
       - /plone-config
+    environment:
+      SOLR_OPTS: "-Dsolr.tika.url=http://tika-acceptance:9998 -Dsolr.config.lib.enabled=true"
+
   frontend-acceptance:
     image: ghcr.io/kitconcept/kitconcept-solr-frontend:${BASE_TAG}
     pull_policy: always
diff --git a/docker-compose-dev.yml b/docker-compose-dev.yml
@@ -3,17 +3,27 @@ name: kitconcept-solr-acceptance
 
 services:
 
+  tika-acceptance:
+    image: apache/tika:3.2.3.0-full
+    profiles: ["acceptance", "dev", "solr"]
+    ports:
+      - 9998:9998
+
   solr-acceptance:
     build:
       context: ./solr
     pull_policy: build
     profiles: ["acceptance", "dev", "solr"]
+    depends_on:
+      - tika-acceptance
     ports:
       - 8983:8983
     command:
       - solr-precreate
       - plone
       - /plone-config
+    environment:
+      SOLR_OPTS: "-Dsolr.tika.url=http://tika-acceptance:9998 -Dsolr.config.lib.enabled=true"
 
   frontend: &frontend
     build:
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -98,16 +98,24 @@ services:
       - traefik.http.routers.rt-backend-classic.service=svc-backend
       - traefik.http.routers.rt-backend-classic.middlewares=gzip,mw-backend-auth,mw-backend-vhm-classic
 
+  tika:
+    image: apache/tika:3.2.3.0-full
+    ports:
+      - 9998:9998
+
   solr:
     build:
       context: solr/
     ports:
       - 8983:8983
+    depends_on:
+      - tika
     command:
       - solr-precreate
       - plone
       - /plone-config
-
+    environment:
+      SOLR_OPTS: "-Dsolr.tika.url=http://tika:9998 -Dsolr.config.lib.enabled=true"
 
 volumes:
   vol-site-data: {}
diff --git a/news/+fix-tikka-sec-vulnerability.bugfix b/news/+fix-tikka-sec-vulnerability.bugfix
@@ -0,0 +1 @@
+Upgrade to Solr 9.10 with external Tika server 3.2.3 to fix CVE-2025-66516. @reebalazs
diff --git a/solr/Dockerfile b/solr/Dockerfile
@@ -1,9 +1,9 @@
 # syntax=docker/dockerfile:1
-FROM solr:8
+FROM solr:9.10
 
 LABEL maintainer="kitconcept, GmbH <info@kitconcept.com>" \
       org.label-schema.name="ghcr.io/kitconcept/solr" \
-      org.label-schema.description="Solr 8 image with Plone default settings" \
+      org.label-schema.description="Solr 9 image with Plone default settings" \
       org.label-schema.vendor="kitconcept, GmbH"
 
 # Copy default plone configuration for this image
diff --git a/solr/etc/conf/solrconfig.xml b/solr/etc/conf/solrconfig.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <config>
-  <luceneMatchVersion>4.5</luceneMatchVersion>
+  <luceneMatchVersion>9.12</luceneMatchVersion>
 
   <dataDir>${solr.data.dir:}</dataDir>
 
@@ -11,33 +11,6 @@
   <codecFactory class="solr.SchemaCodecFactory" />
   <schemaFactory class="ClassicIndexSchemaFactory" />
 
-  <!-- TIKA START -->
-  <!-- Load Data Import Handler and Apache Tika (extraction) libraries -->
-  <lib dir="${solr.install.dir:../../../..}/dist/"
-       regex="solr-dataimporthandler-.*\.jar"
-  />
-
-  <lib dir="${solr.install.dir:../../../..}/contrib/extraction/lib"
-       regex=".*\.jar"
-  />
-  <lib dir="${solr.install.dir:../../../..}/dist/"
-       regex="solr-cell-\d.*\.jar"
-  />
-
-  <lib dir="${solr.install.dir:../../../..}/contrib/langid/lib/"
-       regex=".*\.jar"
-  />
-  <lib dir="${solr.install.dir:../../../..}/dist/"
-       regex="solr-langid-\d.*\.jar"
-  />
-
-  <lib dir="${solr.install.dir:../../../..}/contrib/velocity/lib"
-       regex=".*\.jar"
-  />
-  <lib dir="${solr.install.dir:../../../..}/dist/"
-       regex="solr-velocity-\d.*\.jar"
-  />
-
   <!-- Request Dispatcher
        This section contains instructions for how the SolrDispatchFilter
        should behave when processing requests for this SolrCore.
@@ -118,11 +91,16 @@
 
   <!-- Solr Cell Update Request Handler
        http://wiki.apache.org/solr/ExtractingRequestHandler
+       Uses external Tika server for document parsing (CVE-2025-66516 mitigation)
     -->
   <requestHandler class="solr.extraction.ExtractingRequestHandler"
                   name="/update/extract"
                   startup="lazy"
   >
+    <!-- Use external Tika server instead of local (deprecated) backend -->
+    <str name="extraction.backend">tikaserver</str>
+    <str name="tikaserver.url">${solr.tika.url:http://tika:9998}</str>
+
     <lst name="defaults">
       <str name="lowernames">true</str>
       <str name="uprefix">ignored_</str>
@@ -133,7 +111,6 @@
       <str name="fmap.div">ignored_</str>
     </lst>
   </requestHandler>
-  <!-- TIKA END -->
 
   <!-- The default high-performance update handler -->
   <updateHandler class="solr.DirectUpdateHandler2">

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Upgrade to Solr 9.10 with external Tika server 3.2.3 to fix CVE-2025-66516. @reebalazs`