Upgrade to Solr 9.10 with external Tika server (CVE-2025-66516 fix)

reekitconcept · reekitconcept · commit c43a4c8b602c · 2025-12-09T15:06:06.000+01:00
- Upgrade Solr from 8 to 9.10 - Add external Tika server (3.2.3) to mitigate CVE-2025-66516 - Update solrconfig.xml for Solr 9 compatibility (luceneMatchVersion 9.12) - Configure extraction handler to use external Tika server - Remove deprecated local Tika library loading
diff --git a/docker-compose-ci.yml b/docker-compose-ci.yml
@@ -7,16 +7,27 @@ name: kitconcept-solr-ci
 
 services:
 
+  tika-acceptance:
+    image: apache/tika:3.2.3.0-full
+    profiles: ["ci"]
+    ports:
+      - 9998:9998
+
   solr-acceptance:
     build:
       context: ./solr
     profiles: ["ci"]
+    depends_on:
+      - tika-acceptance
     ports:
       - 8983:8983
     command:
       - solr-precreate
       - plone
       - /plone-config
+    environment:
+      SOLR_OPTS: "-Dsolr.tika.url=http://tika-acceptance:9998 -Dsolr.config.lib.enabled=true"
+
   frontend-acceptance:
     image: ghcr.io/kitconcept/kitconcept-solr-frontend:${BASE_TAG}
     pull_policy: always
diff --git a/docker-compose-dev.yml b/docker-compose-dev.yml
@@ -3,17 +3,27 @@ name: kitconcept-solr-acceptance
 
 services:
 
+  tika-acceptance:
+    image: apache/tika:3.2.3.0-full
+    profiles: ["acceptance", "dev", "solr"]
+    ports:
+      - 9998:9998
+
   solr-acceptance:
     build:
       context: ./solr
     pull_policy: build
     profiles: ["acceptance", "dev", "solr"]
+    depends_on:
+      - tika-acceptance
     ports:
       - 8983:8983
     command:
       - solr-precreate
       - plone
       - /plone-config
+    environment:
+      SOLR_OPTS: "-Dsolr.tika.url=http://tika-acceptance:9998 -Dsolr.config.lib.enabled=true"
 
   frontend: &frontend
     build:
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -98,15 +98,24 @@ services:
       - traefik.http.routers.rt-backend-classic.service=svc-backend
       - traefik.http.routers.rt-backend-classic.middlewares=gzip,mw-backend-auth,mw-backend-vhm-classic
 
+  tika:
+    image: apache/tika:3.2.3.0-full
+    ports:
+      - 9998:9998
+
   solr:
     build:
       context: solr/
     ports:
       - 8983:8983
+    depends_on:
+      - tika
     command:
       - solr-precreate
       - plone
       - /plone-config
+    environment:
+      SOLR_OPTS: "-Dsolr.tika.url=http://tika:9998 -Dsolr.config.lib.enabled=true"
 
 volumes:
   vol-site-data: {}
diff --git a/solr/Dockerfile b/solr/Dockerfile
@@ -1,9 +1,9 @@
 # syntax=docker/dockerfile:1
-FROM solr:8
+FROM solr:9.10
 
 LABEL maintainer="kitconcept, GmbH <info@kitconcept.com>" \
       org.label-schema.name="ghcr.io/kitconcept/solr" \
-      org.label-schema.description="Solr 8 image with Plone default settings" \
+      org.label-schema.description="Solr 9 image with Plone default settings" \
       org.label-schema.vendor="kitconcept, GmbH"
 
 # Copy default plone configuration for this image
diff --git a/solr/etc/conf/solrconfig.xml b/solr/etc/conf/solrconfig.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <config>
-  <luceneMatchVersion>4.5</luceneMatchVersion>
+  <luceneMatchVersion>9.12</luceneMatchVersion>
 
   <dataDir>${solr.data.dir:}</dataDir>
 
@@ -11,33 +11,6 @@
   <codecFactory class="solr.SchemaCodecFactory" />
   <schemaFactory class="ClassicIndexSchemaFactory" />
 
-  <!-- TIKA START -->
-  <!-- Load Data Import Handler and Apache Tika (extraction) libraries -->
-  <lib dir="${solr.install.dir:../../../..}/dist/"
-       regex="solr-dataimporthandler-.*\.jar"
-  />
-
-  <lib dir="${solr.install.dir:../../../..}/contrib/extraction/lib"
-       regex=".*\.jar"
-  />
-  <lib dir="${solr.install.dir:../../../..}/dist/"
-       regex="solr-cell-\d.*\.jar"
-  />
-
-  <lib dir="${solr.install.dir:../../../..}/contrib/langid/lib/"
-       regex=".*\.jar"
-  />
-  <lib dir="${solr.install.dir:../../../..}/dist/"
-       regex="solr-langid-\d.*\.jar"
-  />
-
-  <lib dir="${solr.install.dir:../../../..}/contrib/velocity/lib"
-       regex=".*\.jar"
-  />
-  <lib dir="${solr.install.dir:../../../..}/dist/"
-       regex="solr-velocity-\d.*\.jar"
-  />
-
   <!-- Request Dispatcher
        This section contains instructions for how the SolrDispatchFilter
        should behave when processing requests for this SolrCore.
@@ -118,11 +91,16 @@
 
   <!-- Solr Cell Update Request Handler
        http://wiki.apache.org/solr/ExtractingRequestHandler
+       Uses external Tika server for document parsing (CVE-2025-66516 mitigation)
     -->
   <requestHandler class="solr.extraction.ExtractingRequestHandler"
                   name="/update/extract"
                   startup="lazy"
   >
+    <!-- Use external Tika server instead of local (deprecated) backend -->
+    <str name="extraction.backend">tikaserver</str>
+    <str name="tikaserver.url">${solr.tika.url:http://tika:9998}</str>
+
     <lst name="defaults">
       <str name="lowernames">true</str>
       <str name="uprefix">ignored_</str>
@@ -133,7 +111,6 @@
       <str name="fmap.div">ignored_</str>
     </lst>
   </requestHandler>
-  <!-- TIKA END -->
 
   <!-- The default high-performance update handler -->
   <updateHandler class="solr.DirectUpdateHandler2">
