<em style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0185" target="_blank">CVE</a>)</em> : The default configuration of Adobe ColdFusion 9.0 does not restrict access to collections that have been created by the Solr Service, which allows remote attackers to obtain collection metadata, search information, and index data via a request to an unspecified URL.

Currently, there are no known upgrades or patches to correct this vulnerability. It is possible to temporarily work around the flaw by implementing the following workaround: 1.Open the file jetty.xml located at {ColdFusion-home}/solr/etc for Server install or {Solr-Home}/etc directory for other type of installs.

2.Look for the following property. There are two occurances of the property in the jetty.xml file. Locate the uncommented property.
<Set name="port"><SystemProperty name="jetty.port" default="8983"/></Set>

3.Add the following property just below the above property
<Set name="Host"><SystemProperty name="jetty.host" default="127.0.0.1"/></Set>

4. Restart Solr service.

Unknown or Incomplete

• Security Tracker: 1023519
• CVE ID: 2010-0185 (see also: NVD)
• Bugtraq ID: 38007
• Secunia Advisory ID: 38387
• ISS X-Force ID: 55997
• VUPEN Advisory: ADV-2010-0259
• Vendor Specific Solution URL: http://kb2.adobe.com/cps/807/cpsid_80719.html
• Vendor Specific Advisory URL: http://www.adobe.com/support/security/bulletins/apsb10-04.html

Unknown or Incomplete