Security Vulnerabilities in Apache Solr

Problem Description

Does the COMSOL software contain the Apache Solr™ software and, if so, is it affected by known security vulnerabilities in it?

Solution

Summary

The following COMSOL functionality uses a bundled distribution of the Apache Solr search platform software:

• The documentation and help in COMSOL Multiphysics and COMSOL Documentation (when the Help > Source > Location preference is set to Local)
• Local Model Manager databases in COMSOL Multiphysics
• Model Manager server (only when using managed search index servers)

The optional Solr Extraction module is not included in the Apache Solr distribution used by the documentation system and Model Manager server starting with versions 6.3 update 3 and 6.4 update 2. In earlier versions this module was included because its Apache Tika software was used to index documents.

COMSOL strives to keep third-party software up-to-date in update releases. It is not possible to update the Apache Solr software manually. If needed, see below for more information about Apache Solr security vulnerabilities. See also below for how to remove Apache Solr software from a COMSOL installation.

Security vulnerabilities

Apache publishes Solr security advisories on the Solr™ Security News page.

Not all security vulnerabilities of Apache Solr apply to the COMSOL software, since the COMSOL software does not expose all functionality of its built-in Apache Solr distribution. In fact, COMSOL software typically only uses a relatively limited subset of the Apache Solr functionality, and additionally does not by default expose the Apache Solr software directly to the network. This means that even if the CVE for a vulnerability applies to the version of Apache Solr included in a specific COMSOL version (see below), the COMSOL software could be assessed as not vulnerable due to the affected functionality not being enabled or reachable.

For vulnerabilities that are assessed as not applicable to the COMSOL software, choose the response that is the most suitable to the security processes of your organization:

1. Take no action and keep COMSOL up to date. Rely on COMSOL's vulnerability assessments. Keep the COMSOL software up-to-date using regular product updates.
2. Apply official mitigations where available from the Apache Solr organization. Can provide a higher assurance of non-vulnerability, and does typically not affect the function of the COMSOL software.
3. Remove the bundled Apache Solr software. Avoids false positives when vulnerability scanning is the primary tool for security assessments, but removes certain functionality from the COMSOL software.

Vulnerability assessments

• CVE-2026-22022
  Assessment: Not applicable
  The COMSOL software does not rely on the "Rule Based Authorization Plugin".

• CVE-2026-22444
  CVE-2024-52012
  CVE-2025-24814
  Assessment: Not affected in the default COMSOL configuration
  The COMSOL software configures Apache Solr to require authentication for connecting to its API, and additionally only listens on the loopback interface by default, thus it is not accessible to remote/untrusted users.

• CVE-2025-66516
  Assessment: Not affected
  Since version 6.3 update 3 and 6.4 update 2, the COMSOL software no longer includes the affected Apache Tika module. (In versions before that the COMSOL software only used the vulnerable extraction module when indexing its own help and documentation files, not arbitrary user-supplied documents, and it was thus not exposed to untrusted inputs. Also, the COMSOL software did not index PDF documents, and Model Manager server did not index document files at all.)

Apache Solr also includes Apache SolrJ, a client library to use the Solr API. Vulnerabilities for Apache SolrJ are tracked separately from Apache Solr.

Apache Solr version

The following versions of the Apache Solr software are included with the currently supported versions of COMSOL:

• COMSOL 6.4 Update 2:
  Apache Solr 8.11.4 without Apache Tika
• COMSOL 6.3 Update 3:
  Apache Solr 8.11.4 without Apache Tika

In general, the version of the Apache Solr software included with a particular COMSOL software installation can be determined by the following steps:

1. Locate the Apache Solr subdirectory of the COMSOL software installation to target. The following are the default installation folders:
   • On Windows systems: C:\Program Files\COMSOL\COMSOL64[Product]\ext\solr
   • On macOS systems: /Applications/COMSOL64/[Product]/ext/solr
   • On Linux systems: /usr/local/comsol64/[product]/ext/solr
   • The [Product] path segment is Multiphysics for COMSOL Multiphysics and ModelManagerServer for COMSOL Model Manager Server, both in lowercase for the [product] path segment on Linux.
2. Open the CHANGES.txt file and identify the version of Apache Solr from the most recent change.
3. Look at the filenames of jar files in subdirectories of dist and server to identify the version of any third-party dependencies that are included with Apache Solr.

Removing Apache Solr

From a COMSOL Multiphysics installation

To remove all traces of Apache Solr software from an installation of COMSOL Multiphysics, locate the Multiphysics directory as described above and then delete the following directories and files inside it:

• ext/solr
• plugins/lib.external.solrj.embedded_8.11.4.jar

Additionally locate the comsol.ini file in the bin/[arch] directory, where [arch] is the current platform (win64, macarm64, maci64, glnxarm64, or glnxa64), and add the following line at the end of it:

• -Dcs.docsearch=off (end the line with a line break to ensure that it is read when processing the file)

Removing the Apache Solr software and modifying the comsol.ini file will have the following consequences:

• Online Help can be used as before.
• Local help can be used but search is disabled.
• Model Manager can use only server databases, not local databases.

Note: When performing these changes to the COMSOL Multiphysics installation you will need administrative privileges on the computer, and on Windows the text editor used to edit comsol.ini must also be launched as an administrator to be able to save the file.

From a COMSOL Model Manager Server installation

For the Model Manager server, Apache Solr software is only included with the optional Managed Apache Solr™ component. To remove it you can launch the COMSOL Model Manager Server Installer and choose Add/Remove Products and Reinstall, then uncheck this component.

Note: Without the Apache Solr software installed, the Model Manager server will not be able to automatically create server databases with managed components. See the documentation for how to use an external search index for server databases instead, where you install your own Apache Solr server and configure Model Manager server to connect to it.

種類ごとに閲覧