Fix CVE-2025-66516: Upgrade to Solr 9.10 with external Tika server

Makefile

@@ -182,6 +182,55 @@ stack-rm:  ## Local Stack: Remove Services and Volumes
 	@echo "Remove local volume data"
 	@docker volume rm $(PROJECT_NAME)_vol-site-data
 
+
+###########################################
+# SOLR
+###########################################
+
+BACKEND_FOLDER=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
+
+SOLR_DATA_FOLDER?=${BACKEND_FOLDER}/data
+SOLR_ONLY_COMPOSE?=${BACKEND_FOLDER}/docker-compose.yml
+
+## Solr docker utils
+test-stack-name:
+	# The STACK_NAME env variable must exist and discriminate between your projects,
+	# and the purpose of the container (_DEV, _STACK, _TEST)
+	test -n "$(STACK_NAME)"
+
+.PHONY: solr-start
+solr-start: test-stack-name ## Start solr
+	@echo "Start solr"
+	@COMPOSE_PROJECT_NAME=${STACK_NAME} docker compose -f ${STACK_FILE} up -d solr tika
+
+.PHONY: solr-start-and-rebuild
+solr-start-and-rebuild: test-stack-name ## Start solr and rebuild containers, erases content
+	@echo "Start solr and rebuild"
+	@COMPOSE_PROJECT_NAME=${STACK_NAME} docker compose -f ${STACK_FILE} up -d --build solr tika
+
+.PHONY: solr-start-fg
+solr-start-fg: test-stack-name ## Start solr in foreground
+	@echo "Start solr in foreground"
+	@COMPOSE_PROJECT_NAME=${STACK_NAME} docker compose -f ${STACK_FILE} up solr tika
+
+.PHONY: solr-stop
+solr-stop: test-stack-name ## Stop solr
+	@echo "Stop solr"
+	@COMPOSE_PROJECT_NAME=${STACK_NAME} docker compose -f ${STACK_FILE} down solr tika
+
+.PHONY: solr-logs
+solr-logs: test-stack-name ## Show solr logs
+	@echo "Show solr logs"
+	@COMPOSE_PROJECT_NAME=${STACK_NAME} docker compose -f ${STACK_FILE} logs -f solr
+
+.PHONY: solr-activate-and-reindex
+solr-activate-and-reindex: ## Activate solr and reindex content
+	$(MAKE) -C "./backend/" solr-activate-and-reindex
+
+.PHONY: solr-activate-and-reindex-clear
+solr-activate-and-reindex-clear: ## Activate solr and reindex content with clear
+	$(MAKE) -C "./backend/" solr-activate-and-reindex-clear
+
 ###########################################
 # Acceptance
 ###########################################

backend/Makefile

@@ -94,6 +94,14 @@ console: $(VENV_FOLDER) instance/etc/zope.ini ## Start a console into a Plone in
 create-site: $(VENV_FOLDER) instance/etc/zope.ini ## Create a new site from scratch
 	@$(BIN_FOLDER)/zconsole run instance/etc/zope.conf ./scripts/create_site.py
 
+.PHONY: solr-activate-and-reindex
+solr-activate-and-reindex: $(VENV_FOLDER) instance/etc/zope.ini ## Activate solr and reindex content
+	@PYTHONWARNINGS=ignore $(BIN_FOLDER)/zconsole run instance/etc/zope.conf ./scripts/solr_activate_and_reindex.py
+
+.PHONY: solr-activate-and-reindex-clear
+solr-activate-and-reindex-clear: $(VENV_FOLDER) instance/etc/zope.ini ## Activate solr and reindex content with clear
+	@PYTHONWARNINGS=ignore $(BIN_FOLDER)/zconsole run instance/etc/zope.conf ./scripts/solr_activate_and_reindex.py --clear
+
 # Example Content
 .PHONY: update-example-content
 update-example-content: $(VENV_FOLDER) ## Export example content inside package

backend/news/+fix-tikka-sec-vulnerability.bugfix

@@ -0,0 +1 @@
+Enable the `use_tika` setting from `collective.solr` to make sure text can be extracted from binary files with recent versions of Solr. @reebalazs

backend/src/kitconcept/solr/profiles/default/metadata.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <metadata>
-  <version>1000</version>
+  <version>1001</version>
   <dependencies>
     <dependency>profile-collective.solr:default</dependency>
   </dependencies>

backend/src/kitconcept/solr/profiles/default/registry/collective.solr.xml

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8"?>
+<registry>
+
+  <record name="collective.solr.use_tika">
+    <value>True</value>
+  </record>
+
+</registry>

backend/src/kitconcept/solr/upgrades/configure.zcml

@@ -4,4 +4,15 @@
     i18n_domain="kitconcept.solr"
     >
 
+  <genericsetup:upgradeSteps
+      profile="kitconcept.solr:default"
+      source="1000"
+      destination="1001"
+      >
+    <genericsetup:upgradeDepends
+        title="Enable use_tika in collective.solr for external Tika server"
+        import_steps="plone.app.registry"
+        />
+  </genericsetup:upgradeSteps>
+
 </configure>

backend/tests/setup/test_setup_install.py

@@ -8,10 +8,6 @@ class TestSetupInstall:
     def test_addon_installed(self, installer):
         assert installer.is_product_installed(PACKAGE_NAME) is True
 
-    def test_latest_version(self, profile_last_version):
-        """Test latest version of default profile."""
-        assert profile_last_version(f"{PACKAGE_NAME}:default") == "1000"
-
     def test_browserlayer(self, browser_layers):
         """Test that IKitconceptSolrLayer is registered."""
         from kitconcept.solr.interfaces import IKitconceptSolrLayer

docker-compose-ci.yml

@@ -7,16 +7,28 @@ name: kitconcept-solr-ci
 
 services:
 
+  tika-acceptance:
+    image: apache/tika:3.2.3.0-full
+    profiles: ["ci"]
+    ports:
+      - 9998:9998
+
   solr-acceptance:
     build:
       context: ./solr
     profiles: ["ci"]
+    depends_on:
+      - tika-acceptance
     ports:
       - 8983:8983
     command:
       - solr-precreate
       - plone
       - /plone-config
+    environment:
+      SOLR_MODULES: extraction
+      SOLR_OPTS: "-Dsolr.tika.url=http://tika-acceptance:9998"
+
   frontend-acceptance:
     image: ghcr.io/kitconcept/kitconcept-solr-frontend:${BASE_TAG}
     pull_policy: always

docker-compose-dev.yml

@@ -3,17 +3,28 @@ name: kitconcept-solr-acceptance
 
 services:
 
+  tika-acceptance:
+    image: apache/tika:3.2.3.0-full
+    profiles: ["acceptance", "dev", "solr"]
+    ports:
+      - 9998:9998
+
   solr-acceptance:
     build:
       context: ./solr
     pull_policy: build
     profiles: ["acceptance", "dev", "solr"]
+    depends_on:
+      - tika-acceptance
     ports:
       - 8983:8983
     command:
       - solr-precreate
       - plone
       - /plone-config
+    environment:
+      SOLR_MODULES: extraction
+      SOLR_OPTS: "-Dsolr.tika.url=http://tika-acceptance:9998"
 
   frontend: &frontend
     build:

docker-compose.yml

@@ -98,16 +98,25 @@ services:
       - traefik.http.routers.rt-backend-classic.service=svc-backend
       - traefik.http.routers.rt-backend-classic.middlewares=gzip,mw-backend-auth,mw-backend-vhm-classic
 
+  tika:
+    image: apache/tika:3.2.3.0-full
+    ports:
+      - 9998:9998
+
   solr:
     build:
       context: solr/
     ports:
       - 8983:8983
+    depends_on:
+      - tika
     command:
       - solr-precreate
       - plone
       - /plone-config
-
+    environment:
+      SOLR_MODULES: extraction
+      SOLR_OPTS: "-Dsolr.tika.url=http://tika:9998"
 
 volumes:
   vol-site-data: {}

docs/docs/how-to-guides/index.md

@@ -19,6 +19,11 @@ https://diataxis.fr/how-to-guides/
 ```
 
 
+## Security Upgrades
+
+-   {doc}`upgrade-cve-2025-66516`
+
+
 ## Authors
 
 -   {doc}`plone:contributing/documentation/myst-reference`

docs/docs/how-to-guides/upgrade-cve-2025-66516.md

@@ -0,0 +1,55 @@
+---
+myst:
+  html_meta:
+    "description": "Upgrade guide for CVE-2025-66516 Tika vulnerability fix"
+    "property=og:description": "Upgrade guide for CVE-2025-66516 Tika vulnerability fix"
+    "property=og:title": "Upgrade guide for CVE-2025-66516"
+    "keywords": "Plone, kitconcept Solr, security, CVE, Tika, upgrade"
+---
+
+# Upgrade Guide: CVE-2025-66516 (Tika XXE Vulnerability)
+
+This guide explains what changes are required after upgrading to address the CVE-2025-66516 vulnerability in Apache Tika.
+
+This fix is included in `kitconcept.solr` version **2.0.0a8** and later. This guide applies to all version 2 users, as well as users upgrading from version 2.0.0a7 or earlier to later 2.x versions.
+
+**Note for version 1.x alpha users:** Version 1.x was never officially released (the project transitioned directly to version 2 with the new repository structure). Users of the 1.x alpha versions are recommended to migrate to version 2, which can be done without any further changes.
+
+## Background
+
+CVE-2025-66516 is a critical XML External Entity (XXE) vulnerability in Apache Tika versions prior to 3.2.0. The fix involves upgrading to Solr 9.10 with an external Tika 3.2.3 server.
+
+## Users on the Vanilla kitconcept.solr Image
+
+You are using the vanilla image if your Docker Compose configuration references:
+
+```yaml
+solr:
+  image: ghcr.io/kitconcept/solr
+```
+
+You will need to start running the Tika server as a separate service.
+Check the project's `docker-compose.yml` for the current reference configuration.
+
+Then pull the new `ghcr.io/kitconcept/solr` image and restart your services. The updated image includes:
+
+- Solr 9.10 with the `extraction` module enabled
+- Configuration to use an external Tika 3.2.3 server (patched against CVE-2025-66516)
+
+By default, Solr will connect to the Tika server at `http://tika:9998`.
+You can override this using the `solr.tika.url` environment variable.
+
+## Users with Custom Solr Images
+
+If you've built custom Solr images based on this project, you'll need to rebuild your image with the updated configuration.
+
+**Important:** The fix lies entirely in the configuration update, not in the `kitconcept.solr` Python package. You don't need to upgrade `kitconcept.solr` to fix this vulnerability.
+
+The key configuration changes are:
+
+1. **Solr version**: Upgrade to the newest Solr version (9.x). The base image should be `solr:9.10` or later in your Dockerfile.
+2. **Environment variable**: Set `SOLR_MODULES=extraction` to enable the extraction module in Solr 9.x
+3. **External Tika server**: Configure Tika as an external service using version 3.2.3 or later
+4. **Remove embedded Tika**: The embedded Tika library directives are no longer needed in `solrconfig.xml`
+
+Refer to the project's Solr configuration files and Docker Compose setup for implementation details.

docs/styles/config/vocabularies/Plone/accept.txt

@@ -1,3 +1,7 @@
+`collective.solr`
+collective\.solr
+`kitconcept.solr`
+kitconcept\.solr
 `plone.api`
 `plone.restapi`
 `plone.volto`
@@ -13,6 +17,7 @@ buildout
 cacheable
 CommonJS
 doctest
+Dockerfile
 folderish
 fieldset
 getter
@@ -36,7 +41,10 @@ Razzle
 RichText
 Sass
 Schuko
+Solr
+solrconfig
 subfolder
+Tika
 [Tt]owncrier
 transpile[dr]{0,1}
 [Uu]ncomment

news/+fix-tikka-sec-vulnerability.bugfix

@@ -0,0 +1,2 @@
+Upgrade to Solr 9.10 with external Tika server 3.2.3 to fix CVE-2025-66516.
+See docs/docs/how-to-guides/upgrade-cve-2025-66516.md for details. @reebalazs

solr/Dockerfile

@@ -1,9 +1,9 @@
 # syntax=docker/dockerfile:1
-FROM solr:8
+FROM solr:9.10
 
 LABEL maintainer="kitconcept, GmbH <info@kitconcept.com>" \
       org.label-schema.name="ghcr.io/kitconcept/solr" \
-      org.label-schema.description="Solr 8 image with Plone default settings" \
+      org.label-schema.description="Solr 9 image with Plone default settings" \
       org.label-schema.vendor="kitconcept, GmbH"
 
 # Copy default plone configuration for this image

solr/etc/conf/solrconfig.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <config>
-  <luceneMatchVersion>4.5</luceneMatchVersion>
+  <luceneMatchVersion>9.12</luceneMatchVersion>
 
   <dataDir>${solr.data.dir:}</dataDir>
 
@@ -11,33 +11,6 @@
   <codecFactory class="solr.SchemaCodecFactory" />
   <schemaFactory class="ClassicIndexSchemaFactory" />
 
-  <!-- TIKA START -->
-  <!-- Load Data Import Handler and Apache Tika (extraction) libraries -->
-  <lib dir="${solr.install.dir:../../../..}/dist/"
-       regex="solr-dataimporthandler-.*\.jar"
-  />
-
-  <lib dir="${solr.install.dir:../../../..}/contrib/extraction/lib"
-       regex=".*\.jar"
-  />
-  <lib dir="${solr.install.dir:../../../..}/dist/"
-       regex="solr-cell-\d.*\.jar"
-  />
-
-  <lib dir="${solr.install.dir:../../../..}/contrib/langid/lib/"
-       regex=".*\.jar"
-  />
-  <lib dir="${solr.install.dir:../../../..}/dist/"
-       regex="solr-langid-\d.*\.jar"
-  />
-
-  <lib dir="${solr.install.dir:../../../..}/contrib/velocity/lib"
-       regex=".*\.jar"
-  />
-  <lib dir="${solr.install.dir:../../../..}/dist/"
-       regex="solr-velocity-\d.*\.jar"
-  />
-
   <!-- Request Dispatcher
        This section contains instructions for how the SolrDispatchFilter
        should behave when processing requests for this SolrCore.
@@ -118,11 +91,16 @@
 
   <!-- Solr Cell Update Request Handler
        http://wiki.apache.org/solr/ExtractingRequestHandler
+       Uses external Tika server for document parsing (CVE-2025-66516 mitigation)
     -->
   <requestHandler class="solr.extraction.ExtractingRequestHandler"
                   name="/update/extract"
                   startup="lazy"
   >
+    <!-- Use external Tika server instead of local (deprecated) backend -->
+    <str name="extraction.backend">tikaserver</str>
+    <str name="tikaserver.url">${solr.tika.url:http://tika:9998}</str>
+
     <lst name="defaults">
       <str name="lowernames">true</str>
       <str name="uprefix">ignored_</str>
@@ -133,7 +111,6 @@
       <str name="fmap.div">ignored_</str>
     </lst>
   </requestHandler>
-  <!-- TIKA END -->
 
   <!-- The default high-performance update handler -->
   <updateHandler class="solr.DirectUpdateHandler2">