An omission has been discovered that meant that HTTP access to repository APIs under the paths /alfresco/s/api/solr, /alfresco/wcservice/api/solr and /alfresco/wcs/api/solr were not protected by SOLR’s SSL certificate and could potentially be used by an unauthenticated user to retrieve information from the repository. This issue affects you whether or not you have configured and installed SOLR for search.
The issue is easily addressed by adding some XML to your web.xml. If you take a look at the web.xml file, you'll see a security-constraint element that matches on the '/service/api/solr' pattern. The issue is that the web script is accessible via several other patterns not covered by existing security constraints.