Couple of weeks ago one of our enterprise clients was informed by his PCI compliance approved scanning vendor (ASV) that his business didn’t pass quarterly scan due to security vulnerabilities in software powering his store. Since the most important payment processing solution provider used by the store in question requires PCI compliance, this situation had potential to turn into a major issue. After analyzing ASV security scan report, we came to conclusion that 80% of vulnerabilities were caused by version of Solr hosted by our server. Since we were already using latest Solr supported by our Magento version (Solr 3.6.2) and since Solr features are very important for our client’s business, we found ourselves in the position where it was nearly impossible to achieve PCI compliance. Good news regarding our situation was that patches designed to address outstanding Solr 3.6.2 vulnerabilities were already backported from Solr 4.x branch into Solr 3.6 repository. Bad news, Solr 3.6 branch was already deprecated and we didn’t know if or when will Solr 3.6.3 be released. In this article I’ll describe how we achieved PCI compliance by compiling Solr from source.
Even though following instructions were created and tested at my workstation configuration (Debian based Linux OS), they shouldn’t be too hard to modify to fit any Unix-like operating system.
First things first, besides Java SE Development Kit (something I assume you already have installed) Solr has Apache Ant (something like GNU Make for Java) and Apache Ivy (cool dependency manager for Java) as build dependencies, you must take steps to install them before proceeding. Even though both Ant and Ivy are available inside Debian based Linux distributions repository, Ivy didn’t work correctly on my setup when installed globally trough package manager, so I’ve bootstrapped it trough Ant for the purpose of creating these instructions. So let’s install Apache Ant:
sudo apt-get install ant
Next step, let’s fetch Solr 3.6 repository trough Subversion and bootstrap Ivy:
cd ~ svn checkout http://svn.apache.org/repos/asf/lucene/dev/branches/lucene_solr_3_6/ lucene_solr_3_6 cd lucene_solr_3_6 ant ivy-bootstrap
After that we can proceed with compiling Solr:
Next step, create distribution package and copy it to location where Jetty expects it:
cd solr ant dist cp ~/lucene_solr_3_6/solr/dist/apache-solr-3.6.3-SNAPSHOT.war ~/lucene_solr_3_6/solr/example/webapps/solr.war
All that’s left to do is copy Magento specific configuration and we’re good to go:
cp -fR /path/to/magento/root/lib/Apache/Solr/conf/* ~/lucene_solr_3_6/solr/example/solr/conf/
Luckily, no more steps, we can start Solr 3.6.3:
cd ~/lucene_solr_3_6/solr/example/ java -jar start.jar
To make sure Solr is up and running just go to http://localhost:8983/solr/admin/registry.jsp. There you should find Solr version information, for example:
Solr Specification Version: 188.8.131.524.02.27.14.14.40 Solr Implementation Version: 3.6.3-SNAPSHOT 1572541 - marko - 2014-02-27 14:14:40 Lucene Specification Version: 3.6.3-SNAPSHOT Lucene Implementation Version: 3.6.3-SNAPSHOT 1572541 - marko - 2014-02-27 14:08:50
All that’s left to do is upload new Solr version to your live environment and adjust file system paths inside init script you use to start Solr. More about that inside relevant Magento KB article.
That’s all there is to compiling Solr from source.
Now that you have latest Solr code compiled, you can contact your PCI compliance ASV, explain the situation and they’ll most likely mark Solr related issues as false positive.
Here are some links you can use in communication with your PCI compliance ASV after you deploy Solr 3.6.3 snapshot to your live environment.
- r1547011 – relevant Solr 3.6 branch SVN repository commit 1
- r1546958 – relevant Solr 3.6 branch SVN repository commit 2
Together with preceding links, your ASV will most likely ask you for proof that you are running Solr version compiled from source code of later revision than the ones fixing these vulnerabilities. To confirm this, you can provide access to Solr version page at live environment as described in previous section (we compiled r1572541 for this article).
That’s all for today, good luck and stay PCI compliant!