Security Vulnerabilities in Apache Solr

Problem Description

Does the COMSOL software contain the Apache Solr™ software and, if so, is it affected by security vulnerabilities found in it?

Solution

Summary

The following COMSOL functionality uses a built-in distribution of the Apache Solr search platform software:

• The documentation and help in COMSOL Multiphysics and COMSOL Documentation (when the Help > Source > Location preference is set to Local)
• Local Model Manager databases in COMSOL Multiphysics
• Model Manager server (only when using managed search index servers)

The optional Solr Extraction module is included in the Apache Solr distribution used by the documentation system and Model Manager server. This module includes Apache Tika software to index documents.

COMSOL strives to keep third-party software up-to-date in update releases. It is not possible to update the Apache Solr software manually. If needed, see below for more information about Apache Solr security vulnerabilities. See also below for how to remove Apache Solr software from a COMSOL installation.

Security vulnerabilities

Apache publishes Solr security advisories on the Solr™ Security News page.

Not all security vulnerabilities of Apache Solr apply to the COMSOL software, since the COMSOL software does not expose all functionality of its built-in Apache Solr distribution. In fact, COMSOL software typically only uses a relatively limited subset of the Apache Solr functionality, and additionally does not by default expose the Apache Solr software directly to the network. This means that even if the CVE for a vulnerability applies to the version of Apache Solr included in a specific COMSOL version (see below), the COMSOL software could be assessed as not vulnerable due to the affected functionality not being enabled or reachable.

For vulnerabilities that are assessed as not applicable to the COMSOL software, choose the response that is the most suitable to the security processes of your organization:

1. No action. Rely on COMSOL's vulnerability assessments. Keep the COMSOL software up-to-date using regular product updates.
2. Apply official mitigations as available from the Apache Solr organization. Can provide a higher assurance of non-vulnerability, and does typically not affect the function of the COMSOL software.
3. Remove the Apache Solr software. Avoids false positives when vulnerability scanning is the primary tool for security assessments, but removes certain functionality from the COMSOL software.

Vulnerability assessments

• CVE-2026-22022
  Assessment: Not vulnerable
  The COMSOL software does not rely on the "Rule Based Authorization Plugin".

• CVE-2026-22444
  CVE-2024-52012
  CVE-2025-24814
  Assessment: Not vulnerable
  The COMSOL software configures Apache Solr to require authentication for connecting to its API, and additionally only listens on the loopback interface by default, thus it is not exposed to remote/untrusted users.

• CVE-2025-66516
  Assessment: Not vulnerable
  The COMSOL software only uses the vulnerable extraction module when indexing its own help and documentation files, not arbitrary user-supplied documents, and it is thus not exposed to untrusted inputs. Also, the COMSOL software does not index PDF documents, and Model Manager server does not index document files at all.
  Mitigation: See below for how to apply the official mitigation for the extraction module vulnerability to the applicable COMSOL software versions. Future updates of the COMSOL software will come with the mitigation already applied and/or updated Apache Solr software where the underlying vulnerability is not present.

Apache Solr also includes Apache SolrJ, a client library to use the Solr API. Vulnerabilities for Apache SolrJ are tracked separately from Apache Solr.

Apache Solr version

The following versions of the Apache Solr software are included with the currently supported versions of COMSOL:

• COMSOL 6.4:
  Apache Solr 8.11.4
• COMSOL 6.3 update 2:
  Apache Solr 8.11.4

In general, the version of the Apache Solr software included with a particular COMSOL software installation can be determined by the following steps:

1. Locate the Apache Solr subdirectory of the COMSOL software installation to target. The following are the default installation folders:
   • On Windows systems: C:\Program Files\COMSOL\COMSOL64[Product]\ext\solr
   • On macOS systems: /Applications/COMSOL64/[Product]/ext/solr
   • On Linux systems: /usr/local/comsol64/[product]/ext/solr
   • The [Product] path segment is Multiphysics for COMSOL Multiphysics and ModelManagerServer for COMSOL Model Manager Server, both in lowercase for the [product] path segment on Linux.
2. Open the CHANGES.txt file and read the version of Apache Solr from the most recent change.
3. Look at the filenames of jar files in subdirectories of dist and server to read the version of any third-party dependencies that are included with Apache Solr.

Mitigations

CVE-2025-66516

It is possible to apply the official mitigation described here to an installation of COMSOL Multiphysics. Locate the Multiphysics directory as described above and then perform the mitigation on the following directories and configuration files:

• the doc/help/solr/conf directory and its solrconfig.xml file
• the ext/solr/conf directory and its solrconfig.xml file
• the ext/solr/solr/server/solr/configsets/*/conf directories and their solrconfig.xml files

Likewise the mitigation can be applied to a COMSOL Model Manager Server installation by locating the ModelManagerServer directory and performing the mitigation on all of the above except doc/help/solr/conf that does not exist for the Model Manager server.

Removing Apache Solr

From a COMSOL Multiphysics installation

To remove all traces of Apache Solr software from an installation of COMSOL Multiphysics, locate the Multiphysics directory as described above and then delete the following directories and files inside it:

• ext/solr
• plugins/lib.external.solrj.embedded_8.11.4.jar

Additionally locate the comsol.ini file in the bin/[arch] directory, where [arch] is the current platform (win64, macarm64, maci64, glnxarm64, or glnxa64), and add the following line at the end of it:

• -Dcs.docsearch=off (end the line with a line break to ensure that it is read when processing the file)

Removing the Apache Solr software and modifying the comsol.ini file will have the following consequences:

• Online Help can be used as before.
• Local help can be used but search is disabled.
• Only server databases can be configured with the Model Manager, not local databases.

Note: When performing these changes to the COMSOL Multiphysics installation you will need administrative privileges on the computer, and on Windows the text editor used to edit comsol.ini must also be launched as an administrator to be able to save the file.

From a COMSOL Model Manager Server installation

For the Model Manager server, Apache Solr software is only included with the optional Managed Apache Solr™ component. To remove it you can launch the COMSOL Model Manager Server Installer and choose Add/Remove Products and Reinstall, then uncheck this component.

Note: Without the Apache Solr software installed, the Model Manager server will not be able to automatically create server databases with managed components. See the documentation for how to use an external search index for server databases instead, where you install your own Apache Solr server and configure Model Manager server to connect to it.

種類ごとに閲覧