lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shalin Shekhar Mangar (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (SOLR-10624) Security Vulnerability in secure inter-node communication in Apache Solr
Date Fri, 07 Jul 2017 13:46:00 GMT

     [ https://issues.apache.org/jira/browse/SOLR-10624?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Shalin Shekhar Mangar resolved SOLR-10624.
------------------------------------------
    Resolution: Fixed

> Security Vulnerability in secure inter-node communication in Apache Solr
> ------------------------------------------------------------------------
>
>                 Key: SOLR-10624
>                 URL: https://issues.apache.org/jira/browse/SOLR-10624
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: security, SolrCloud
>    Affects Versions: 5.3, 5.5.4, 6.5, 6.5.1
>            Reporter: Shalin Shekhar Mangar
>            Assignee: Noble Paul
>            Priority: Critical
>             Fix For: 5.5.5, 7.0, 6.6
>
>
> Solr uses a PKI based mechanism to secure inter-node communication
> when security is enabled.  It is possible to fake it by cleverly
> constructing  a node name that does not exist and pointing to the
> attackers machine. This means, the system is only as secure as an
> unprotected Solr while the user believes it is secure.
> who is affected?
> This feature was introduced in SOLR-7849 (Solr 5.3). So, every release
> after 5.3 is vulnerable if they use this feature. Systems using
> BasicAuth are affected and any custom authentication implementations
> using this feature may also be vulnerable. However, Kerberos users are
> unaffected.
> What is the fix?
> The fix includes checking if the node name is actually a member of the
> live_nodes set.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message