It was found that the XML and XSLT UpdateRequestHandler classes in Apache Solr would resolve external entities, permitting XXE attacks. A remote attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Upstream Bug: https://issues.apache.org/jira/browse/SOLR-3895 Upstream Patch: https://issues.apache.org/jira/secure/attachment/12546766/SOLR-3895%2B3614.patch
This issue has been addressed in following products: Red Hat JBoss Web Framework Kit 2.4.0 Via RHSA-2013:1844 https://rhn.redhat.com/errata/RHSA-2013-1844.html
This issue has been addressed in following products: Red Hat JBoss Data Grid 6.2.0 Via RHSA-2014:0029 https://rhn.redhat.com/errata/RHSA-2014-0029.html