Security Vulnerabilities in Apache Solr

Problem Description

Does the COMSOL software contain the Apache Solr™ software and, if so, is it affected by security vulnerabilities found in it?

Solution

Summary

The following COMSOL functionality uses a built-in distribution of the Apache Solr search platform software and its SolrJ client library:

• The documentation and help in COMSOL Multiphysics and COMSOL Documentation (when the Help > Source > Location preference is set to Local)
• Local Model Manager databases in COMSOL Multiphysics
• Model Manager server (only the Apache SolrJ client library when using external search index servers)

Install the latest product updates for the COMSOL software to also update its built-in Apache Solr distribution. If needed, see below for more information about Apache Solr security vulnerabilities.

Security vulnerabilities

Apache publishes Solr security advisories on the Solr™ Security News page.

Not all security vulnerabilities of Apache Solr apply to the COMSOL software, since the COMSOL software does not expose all functionality of its built-in Apache Solr distribution. In fact, COMSOL software typically only uses a relatively limited subset of the Apache Solr functionality, and additionally does not by default expose the Apache Solr software directly to the network. This means that even if the CVE for a vulnerability applies to the version of Apache Solr included in a specific COMSOL version (see below), the COMSOL software could be assessed as not vulnerable due to the affected functionality not being enabled or reachable.

• CVE-2026-22022
  Assessment: Not vulnerable
  The COMSOL software does not rely on the "Rule Based Authorization Plugin".

• CVE-2026-22444
  CVE-2024-52012
  CVE-2025-24814
  Assessment: Not vulnerable
  The COMSOL software configures Apache Solr to require authentication for connecting to its API, and additionally only listens on the loopback interface by default, thus it is not exposed to remote/untrusted users.

• CVE-2025-66516
  Assessment: Not vulnerable
  The COMSOL software only uses the vulnerable extraction module when indexing its own help and documentation files, not arbitrary user-supplied documents, and it is thus not exposed to untrusted inputs.

Apache Solr version

The following versions of the Apache Solr software are included with the currently supported versions of COMSOL:

• COMSOL 6.4:
  Apache Solr 8.11.4
• COMSOL 6.3 update 2:
  Apache Solr 8.11.4

In general, the version of the Apache Solr software included with a particular COMSOL software installation can be determined by the following steps:

1. Locate the Apache Solr subdirectory of the COMSOL software installation to target. The following are the default installation folders:
   • On Windows systems: C:\Program Files\COMSOL\COMSOL64[Product]\ext\solr
   • On macOS systems: /Applications/COMSOL64/[Product]/ext/solr
   • On Linux systems: /usr/local/comsol64/[product]/ext/solr
   • The [Product] path segment is Multiphysics for COMSOL Multiphysics and ModelManagerServer for COMSOL Model Manager Server, both in lowercase for the [product] path segment on Linux.
2. Open the CHANGES.txt file and read the version of Apache Solr from the most recent change.
3. Look at the filenames of jar files in subdirectories of dist and server to read the version of any third-party dependencies that are included with Apache Solr.

種類ごとに閲覧