PCI compliance with Magento a.k.a. how to compile Solr from source

Compile Solr for Magento

Couple of weeks ago one of our enterprise clients was informed by his PCI compliance approved scanning vendor (ASV) that his business didn’t pass quarterly scan due to security vulnerabilities in software powering his store. Since the most important payment processing solution provider used by the store in question requires PCI compliance, this situation had potential to turn into a major issue. After analyzing ASV security scan report, we came to conclusion that 80% of vulnerabilities were caused by version of Solr hosted by our server. Since we were already using latest Solr supported by our Magento version (Solr 3.6.2) and since Solr features are very important for our client’s business, we found ourselves in the position where it was nearly impossible to achieve PCI compliance. Good news regarding our situation was that patches designed to address outstanding Solr 3.6.2 vulnerabilities were already backported from Solr 4.x branch into Solr 3.6 repository. Bad news, Solr 3.6 branch was already deprecated and we didn’t know if or when will Solr 3.6.3 be released. In this article I’ll describe how we achieved PCI compliance by compiling Solr from source.

Procedure

Even though following instructions were created and tested at my workstation configuration (Debian based Linux OS), they shouldn’t be too hard to modify to fit any Unix-like operating system.

First things first, besides Java SE Development Kit (something I assume you already have installed) Solr has Apache Ant (something like GNU Make for Java) and Apache Ivy (cool dependency manager for Java) as build dependencies, you must take steps to install them before proceeding. Even though both Ant and Ivy are available inside Debian based Linux distributions repository, Ivy didn’t work correctly on my setup when installed globally trough package manager, so I’ve bootstrapped it trough Ant for the purpose of creating these instructions. So let’s install Apache Ant:

sudo apt-get install ant

Next step, let’s fetch Solr 3.6 repository trough Subversion and bootstrap Ivy:

cd ~
svn checkout http://svn.apache.org/repos/asf/lucene/dev/branches/lucene_solr_3_6/ lucene_solr_3_6
cd lucene_solr_3_6
ant ivy-bootstrap

After that we can proceed with compiling Solr:

ant compile

Next step, create distribution package and copy it to location where Jetty expects it:

cd solr
ant dist
cp ~/lucene_solr_3_6/solr/dist/apache-solr-3.6.3-SNAPSHOT.war ~/lucene_solr_3_6/solr/example/webapps/solr.war

All that’s left to do is copy Magento specific configuration and we’re good to go:

cp -fR /path/to/magento/root/lib/Apache/Solr/conf/* ~/lucene_solr_3_6/solr/example/solr/conf/

Luckily, no more steps, we can start Solr 3.6.3:

cd ~/lucene_solr_3_6/solr/example/
java -jar start.jar

To make sure Solr is up and running just go to http://localhost:8983/solr/admin/registry.jsp. There you should find Solr version information, for example:

Solr Specification Version: 3.6.3.2014.02.27.14.14.40
Solr Implementation Version: 3.6.3-SNAPSHOT 1572541 - marko - 2014-02-27 14:14:40
Lucene Specification Version: 3.6.3-SNAPSHOT
Lucene Implementation Version: 3.6.3-SNAPSHOT 1572541 - marko - 2014-02-27 14:08:50

All that’s left to do is upload new Solr version to your live environment and adjust file system paths inside init script you use to start Solr. More about that inside relevant Magento KB article.

That’s all there is to compiling Solr from source.

Relevant links

Now that you have latest Solr code compiled, you can contact your PCI compliance ASV, explain the situation and they’ll most likely mark Solr related issues as false positive.

Here are some links you can use in communication with your PCI compliance ASV after you deploy Solr 3.6.3 snapshot to your live environment.

Together with preceding links, your ASV will most likely ask you for proof that you are running Solr version compiled from source code of later revision than the ones fixing these vulnerabilities. To confirm this, you can provide access to Solr version page at live environment as described in previous section (we compiled r1572541 for this article).

That’s all for today, good luck and stay PCI compliant!


2 comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <blockquote cite=""> <code> <del datetime=""> <em> <s> <strike> <strong>. You may use following syntax for source code: <pre><code>$current = "Inchoo";</code></pre>.