lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cassandra Targett (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (SOLR-11184) Security vulnerability in delegation token functionality
Date Wed, 18 Oct 2017 18:25:02 GMT

     [ https://issues.apache.org/jira/browse/SOLR-11184?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Cassandra Targett updated SOLR-11184:
-------------------------------------
    Security: Public  (was: Private (Security Issue))

> Security vulnerability in delegation token functionality
> --------------------------------------------------------
>
>                 Key: SOLR-11184
>                 URL: https://issues.apache.org/jira/browse/SOLR-11184
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: security, SolrCloud
>    Affects Versions: 6.2, 6.3, 6.4, 6.4.1, 6.4.2, 6.5, 6.5.1, 6.6
>            Reporter: Shalin Shekhar Mangar
>            Assignee: Shalin Shekhar Mangar
>             Fix For: 6.6.1, 7.0, master (8.0)
>
>         Attachments: unit_test_fix.patch, zk_acl_fix.patch, zk_acl_fix_6x.patch
>
>
> ---------- Forwarded message ----------
> From: Hrishikesh Gadre <gadre.solr@gmail.com>
> Date: Sat, Jul 22, 2017 at 3:59 AM
> Subject: Apache Solr - security vulnerability (delegation token functionality)
> To: security@apache.org
> Hi,
> We found a security vulnerability in the delegation token
> functionality in Solr. This feature was added in Solr in 6.2 release
> (SOLR-9200).
> The delegation token functionality provided by Hadoop authentication
> uses Apache curator framework to store the security related metadata.
> Solr uses /security directory to store this information.
> There are two issues with this functionality (when using
> SecurityAwareZkACLProvider type of ACL provider e.g.
> SaslZkACLProvider),
> The ACLs for /security znode are configured as (‘world’,’anyone’) even
> though the implementation of SecurityAwareZkACLProvider intends to
> restrict access only for the solr super user.
> The znodes under /security directory (e.g. /security/token) are
> configured just like any other configuration file (i.e. modifiable by
> solr admin and readable by world). SecurityAwareZkACLProvider on the
> other hand intends to restrict access only for the solr super user.
> The possible consequences of this vulnerability are severe. e.g.
> (a) a malicious user can read the security tokens in Zookeeper and
> gain access to the Solr cluster.
> (b) a malicious user can delete the security related metadata in
> Zookeeper and disrupt operations performed by authenticated users.
> This is possible since the (‘world’,’anyone’) permission on /security
> directory allows attacker to delete the child znodes under that path.
> Please find the attached patch which includes a unit test and the fix.
> Let me know if any additional information required from my side.
> Thanks
> Hrishikesh



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message