Default Opensolr HTTP Auth Credentials

• It is now mandatory, that every Opensolr index is password protected.
• When creating a new index, the default HTTP Auth credentials, are:
  • Username: opensolr
  • Password: Your account's Automation REST API KEY, that can be found in your dashboard, at: https://opensolr.com/admin/solr_manager/dashboard
• You can always change your HTTP Auth credentials, from your Opensolr Index Control Panel, by clicking on the Security tab, on the left side of the index administration menu.

• What is the log4j exploit?
  • Without going into too much detail, to make a long story short:
  • The log4j vulnerability (CVE-2021-44228) is an exploit that can be used by attackers (or anybody else) to execute remote code, on a vulnerable system, because log4j will actually grab any line in the log file, that matches a certain format, and execute that line as if it was a native command / program.
• Is the Opensolr service vulnerable to the lg4j exploit?
  • No. This vulnerability has been fully patched throughout the entire Opensolr ecosystem, on Dec. 11 2021.
• Did this vulnerability affect aything on my servers?
  • No. However, you should probably do the due dilligence of patching any Java application you may be running on your end or in your organization, if they are using log4j (which they most probably do).
• I am running Solr version 1 2 3 4 5 6 7 or 8. Am I safe?
  • Yes. This patch applies to all Solr versions. So you can keep running your Solr version that you are running now.
  • This is not a Solr vulnerability. It is a log4j vulnerability, which affects ANY Java applications that use the log4j library. So having log4j patched, will solve this issue for any Solr version.
  • However if you must use a different Solr version, you can go to your Opensolr Control Panel and add a new index, in a more recent Solr Version Container (server).
  • We can do that for you, but it's not going to be free.
• I am running Solr, and/or other Java applications with log4j on my own. What do I have to do?
  • Google is your friend (as opposed to the popular belief).
  • The websites it finds while searching for this topic, will give you hints and ideas about how to mitigate this exploit.

Dataimport (DIH) can not be reached

Due to certain security concerns, the dataimport (DIH) Solr feature is now globally disabled, form the entire Opensolr ecosystem.
However, you are still free to use the dataimport (DIH) Solr feature, by requesting that we enable it for your index(es), using our Support Helpdesk, at: https://opensolr.freshdesk.com/ or, directly via email, at support@opensolr.com

Important:

• It is now mandatory, that every Opensolr index is password protected.
• When creating a new index, the default HTTP Auth credentials, are:
  • Username: opensolr
  • Password: Your account's Automation REST API KEY, that can be found in your dashboard, at: https://opensolr.com/admin/solr_manager/dashboard
• You can always change your HTTP Auth credentials, from your Opensolr Index Control Panel, by clicking on the Security tab, on the left side of the index administration menu.

1. General data privacy terms

Becoming an Opensolr member, is only possible via the Opensolr Registration Form.
By becoming an Opensolr member, you agree with the Terms of Service, the General Privacy Policy, and this GDPR Privacy Agreement.

2. Data Collected by Opensolr

Opensolr collects mandatory minimal information about the user for the purpose of registration.
Such mandatory data is limited to: First name, Last Name, Email.
Opensolr members, may at any time alter the First Name and Last Name.
Opensolr members have the right, to optionally add more personal data, such as (but not limited to): Personal Website, Facebook ID, etc.
Opensolr members have the right, to optionally create Opensolr Cloud Index(es) and store any type of data in them.
Opensolr does not ever directly collect, store or process any billing, or payment information from the Opensolr members or any other 3rd parties, whatsoever.

3. Opensolr Personal Data Processing

Opensolr will never make any member's personal data information, public, nor will Opensolr ever sell or trade this information with any 3-rd party.
Opensolr will use the email as identification upon every login action.
Opensolr provides strict security measures for the data that is being stored and processed via the Opensolr Shared or Dedicated Cloud Servers.
Details on the Opensolr Cloud Data Security can be found at: https://opensolr.com/faq/view/data-security.
As stated at #2, Opensolr will never directly collect, store or process any billing or payment information from the Opensolr members, or any other 3rd parties, whatsoever.
All payments, and billing present on the Opensolr website, and, inside the Opensolr Billing Control Panel, is a front-end to the highly secure PCI Compliant, APIs of Stripe.com
Opensolr will never send any unsolicited emails, postal letters, of any kind.
All Opensolr communications are fully mandatory when becoming an opensolr member.
All Opensolr communications will be limited to the following:

• System maintenance alerts
• System emergency failure or action alerts
• Membership alerts, such as (but not limited to):
  • Free trial expiration
  • Resource depletion (bandwidth exceeded, disk space exceeded, etc)
  • Other alerts which are otherwise vital to the Opensolr member, and the service provided by Opensolr.
  • Registration Welcome messages
  • Password retreival messages
• Periodic Opensolr Cloud Systems developments that are relevant to all Opensolr members

To opt out of any of the above communications, please send a request to support@opensolr.com, for canceling your opensolr membership.

You can enable TFA in your Opensolr account as follows:

• Login to your account at: https://opensolr.com/users/login
• Navigate to User->Two Factor Authentication
• Enter your phone number
• Enjoy Two Factor Authentication the next time you logout/login!

Here are the security mechanisms implemented by Opensolr.com

• IP Access rules per Request Handlers
  • Users are able to se certain Request Handlers (/select, /update, etc...) to be accessible from certain IP address, OR the "all" wildcard.
• HTTP Authentication 
  • ​Users are able to set a username and password for their index, so that every Request Handler in the index is only accessible upon valid HTTP Authentication.
• SSL connections
  • ​All connections throughout the entire Opensolr.com website, and throughout all of the opensolr cloud servers, are powered by state of the art SSL encryption.