Upgrade to Solr 9.10 with external Tika server (CVE-2025-66516 fix)

- Upgrade Solr from 8 to 9.10
- Add external Tika server (3.2.3) to mitigate CVE-2025-66516
- Update solrconfig.xml for Solr 9 compatibility (luceneMatchVersion 9.12)
- Configure extraction handler to use external Tika server
- Remove deprecated local Tika library loading
- Add Makefile targets for solr-activate-and-reindex

Author: reekitconcept

Makefile

@@ -182,6 +182,50 @@ stack-rm:  ## Local Stack: Remove Services and Volumes
 	@echo "Remove local volume data"
 	@docker volume rm $(PROJECT_NAME)_vol-site-data
 
+
+###########################################
+# SOLR
+###########################################
+
+BACKEND_FOLDER=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
+
+SOLR_DATA_FOLDER?=${BACKEND_FOLDER}/data
+SOLR_ONLY_COMPOSE?=${BACKEND_FOLDER}/docker-compose.yml
+
+## Solr docker utils
+test-compose-project-name:
+	# The COMPOSE_PROJECT_NAME env variable must exist and discriminate between your projects,
+	# and the purpose of the container (_DEV, _STACK, _TEST)
+	test -n "$(PROJECT_NAME)"
+
+.PHONY: solr-start
+solr-start: test-compose-project-name ## Start solr
+	@echo "Start solr"
+	@COMPOSE_PROJECT_NAME=${PROJECT_NAME} docker compose -f ${STACK_FILE} up -d solr
+
+.PHONY: solr-start-fg
+solr-start-fg: test-compose-project-name ## Start solr in foreground
+	@echo "Start solr in foreground"
+	@COMPOSE_PROJECT_NAME=${PROJECT_NAME} docker compose -f ${STACK_FILE} up solr
+
+.PHONY: solr-stop
+solr-stop: test-compose-project-name ## Stop solr
+	@echo "Stop solr"
+	@COMPOSE_PROJECT_NAME=${PROJECT_NAME} docker compose -f ${STACK_FILE} down solr
+
+.PHONY: solr-logs
+solr-logs: test-compose-project-name ## Show solr logs
+	@echo "Show solr logs"
+	@COMPOSE_PROJECT_NAME=${PROJECT_NAME} docker compose -f ${STACK_FILE} logs -f solr
+
+.PHONY: solr-activate-and-reindex
+solr-activate-and-reindex: ## Activate solr and reindex content
+	$(MAKE) -C "./backend/" solr-activate-and-reindex
+
+.PHONY: solr-activate-and-reindex-clear
+solr-activate-and-reindex-clear: ## Activate solr and reindex content with clear
+	$(MAKE) -C "./backend/" solr-activate-and-reindex-clear
+
 ###########################################
 # Acceptance
 ###########################################

backend/Makefile

@@ -94,6 +94,14 @@ console: $(VENV_FOLDER) instance/etc/zope.ini ## Start a console into a Plone in
 create-site: $(VENV_FOLDER) instance/etc/zope.ini ## Create a new site from scratch
 	@$(BIN_FOLDER)/zconsole run instance/etc/zope.conf ./scripts/create_site.py
 
+.PHONY: solr-activate-and-reindex
+solr-activate-and-reindex: $(VENV_FOLDER) instance/etc/zope.ini ## Activate solr and reindex content
+	PYTHONWARNINGS=ignore @$(BIN_FOLDER)/zconsole run instance/etc/zope.conf ./scripts/solr_activate_and_reindex.py
+
+.PHONY: solr-activate-and-reindex-clear
+solr-activate-and-reindex-clear: $(VENV_FOLDER) instance/etc/zope.ini ## Activate solr and reindex content with clear
+	PYTHONWARNINGS=ignore @$(BIN_FOLDER)/zconsole run instance/etc/zope.conf ./scripts/solr_activate_and_reindex.py --clear
+
 # Example Content
 .PHONY: update-example-content
 update-example-content: $(VENV_FOLDER) ## Export example content inside package

docker-compose-ci.yml

@@ -7,16 +7,27 @@ name: kitconcept-solr-ci
 
 services:
 
+  tika-acceptance:
+    image: apache/tika:3.2.3.0-full
+    profiles: ["ci"]
+    ports:
+      - 9998:9998
+
   solr-acceptance:
     build:
       context: ./solr
     profiles: ["ci"]
+    depends_on:
+      - tika-acceptance
     ports:
       - 8983:8983
     command:
       - solr-precreate
       - plone
       - /plone-config
+    environment:
+      SOLR_OPTS: "-Dsolr.tika.url=http://tika-acceptance:9998 -Dsolr.config.lib.enabled=true"
+
   frontend-acceptance:
     image: ghcr.io/kitconcept/kitconcept-solr-frontend:${BASE_TAG}
     pull_policy: always

docker-compose-dev.yml

@@ -3,17 +3,27 @@ name: kitconcept-solr-acceptance
 
 services:
 
+  tika-acceptance:
+    image: apache/tika:3.2.3.0-full
+    profiles: ["acceptance", "dev", "solr"]
+    ports:
+      - 9998:9998
+
   solr-acceptance:
     build:
       context: ./solr
     pull_policy: build
     profiles: ["acceptance", "dev", "solr"]
+    depends_on:
+      - tika-acceptance
     ports:
       - 8983:8983
     command:
       - solr-precreate
       - plone
       - /plone-config
+    environment:
+      SOLR_OPTS: "-Dsolr.tika.url=http://tika-acceptance:9998 -Dsolr.config.lib.enabled=true"
 
   frontend: &frontend
     build:

docker-compose.yml

@@ -98,16 +98,24 @@ services:
       - traefik.http.routers.rt-backend-classic.service=svc-backend
       - traefik.http.routers.rt-backend-classic.middlewares=gzip,mw-backend-auth,mw-backend-vhm-classic
 
+  tika:
+    image: apache/tika:3.2.3.0-full
+    ports:
+      - 9998:9998
+
   solr:
     build:
       context: solr/
     ports:
       - 8983:8983
+    depends_on:
+      - tika
     command:
       - solr-precreate
       - plone
       - /plone-config
-
+    environment:
+      SOLR_OPTS: "-Dsolr.tika.url=http://tika:9998 -Dsolr.config.lib.enabled=true"
 
 volumes:
   vol-site-data: {}

news/+fix-tikka-sec-vulnerability.bugfix

@@ -0,0 +1 @@
+Upgrade to Solr 9.10 with external Tika server 3.2.3 to fix CVE-2025-66516. @reebalazs

solr/Dockerfile

@@ -1,9 +1,9 @@
 # syntax=docker/dockerfile:1
-FROM solr:8
+FROM solr:9.10
 
 LABEL maintainer="kitconcept, GmbH <[email protected]>" \
       org.label-schema.name="ghcr.io/kitconcept/solr" \
-      org.label-schema.description="Solr 8 image with Plone default settings" \
+      org.label-schema.description="Solr 9 image with Plone default settings" \
       org.label-schema.vendor="kitconcept, GmbH"
 
 # Copy default plone configuration for this image

solr/etc/conf/solrconfig.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <config>
-  <luceneMatchVersion>4.5</luceneMatchVersion>
+  <luceneMatchVersion>9.12</luceneMatchVersion>
 
   <dataDir>${solr.data.dir:}</dataDir>
 
@@ -11,33 +11,6 @@
   <codecFactory class="solr.SchemaCodecFactory" />
   <schemaFactory class="ClassicIndexSchemaFactory" />
 
-  <!-- TIKA START -->
-  <!-- Load Data Import Handler and Apache Tika (extraction) libraries -->
-  <lib dir="${solr.install.dir:../../../..}/dist/"
-       regex="solr-dataimporthandler-.*\.jar"
-  />
-
-  <lib dir="${solr.install.dir:../../../..}/contrib/extraction/lib"
-       regex=".*\.jar"
-  />
-  <lib dir="${solr.install.dir:../../../..}/dist/"
-       regex="solr-cell-\d.*\.jar"
-  />
-
-  <lib dir="${solr.install.dir:../../../..}/contrib/langid/lib/"
-       regex=".*\.jar"
-  />
-  <lib dir="${solr.install.dir:../../../..}/dist/"
-       regex="solr-langid-\d.*\.jar"
-  />
-
-  <lib dir="${solr.install.dir:../../../..}/contrib/velocity/lib"
-       regex=".*\.jar"
-  />
-  <lib dir="${solr.install.dir:../../../..}/dist/"
-       regex="solr-velocity-\d.*\.jar"
-  />
-
   <!-- Request Dispatcher
        This section contains instructions for how the SolrDispatchFilter
        should behave when processing requests for this SolrCore.
@@ -118,11 +91,16 @@
 
   <!-- Solr Cell Update Request Handler
        http://wiki.apache.org/solr/ExtractingRequestHandler
+       Uses external Tika server for document parsing (CVE-2025-66516 mitigation)
     -->
   <requestHandler class="solr.extraction.ExtractingRequestHandler"
                   name="/update/extract"
                   startup="lazy"
   >
+    <!-- Use external Tika server instead of local (deprecated) backend -->
+    <str name="extraction.backend">tikaserver</str>
+    <str name="tikaserver.url">${solr.tika.url:http://tika:9998}</str>
+
     <lst name="defaults">
       <str name="lowernames">true</str>
       <str name="uprefix">ignored_</str>
@@ -133,7 +111,6 @@
       <str name="fmap.div">ignored_</str>
     </lst>
   </requestHandler>
-  <!-- TIKA END -->
 
   <!-- The default high-performance update handler -->
   <updateHandler class="solr.DirectUpdateHandler2">