lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yonik Seeley (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (SOLR-11482) CVE-2017-12629: Remove RunExecutableListener from Solr
Date Wed, 18 Oct 2017 14:19:00 GMT

    [ https://issues.apache.org/jira/browse/SOLR-11482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16209388#comment-16209388
] 

Yonik Seeley edited comment on SOLR-11482 at 10/18/17 2:18 PM:
---------------------------------------------------------------

It's interesting... I didn't expect this issue to have its own CVE.
Although I agree with it's removal (it hasn't been needed since we stopped using rsync for
replication long ago), RunExecutableListener isn't really an exploit - it just makes things
potentially worse when other exploits allow you to somehow edit the config.

For example: A user of Solr 5.4 (before Solr's xmlparser was hooked up to Lucene's xml parser)
would not vulnerable just because they lack this patch.  That's important for users to understand.

EDIT: my mistake, this did not get it's own CVE, it is the same as SOLR-11477


was (Author: yseeley@gmail.com):
It's interesting... I didn't expect this issue to have its own CVE.
Although I agree with it's removal (it hasn't been needed since we stopped using rsync for
replication long ago), RunExecutableListener isn't really an exploit - it just makes things
potentially worse when other exploits allow you to somehow edit the config.

For example: A user of Solr 5.4 (before Solr's xmlparser was hooked up to Lucene's xml parser)
would not vulnerable just because they lack this patch.  That's important for users to understand.

> CVE-2017-12629: Remove RunExecutableListener from Solr
> ------------------------------------------------------
>
>                 Key: SOLR-11482
>                 URL: https://issues.apache.org/jira/browse/SOLR-11482
>             Project: Solr
>          Issue Type: Task
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: security, Server
>            Reporter: Uwe Schindler
>            Assignee: Uwe Schindler
>            Priority: Blocker
>             Fix For: 5.5.5, 7.1, 7.2, master (8.0), 6.6.2
>
>         Attachments: SOLR-11482-6.6.patch, SOLR-11482-branch_5_5-restore-logged-warning.patch,
SOLR-11482.patch
>
>
> This class should no longer be needed, as replication can be done through Solr Cloud
or via ReplicationHandler. The current listener is a security risk, as it can be configured
through the Config API. See the report:
> Solr "RunExecutableListener" class can be used to execute arbitrary commands on specific
events, for example after each update query. The problem is that such listener can be enabled
with any parameters just by using Config API with add-listener command.
> {noformat}
> POST /solr/newcollection/config HTTP/1.1
> Host: localhost:8983
> Connection: close
> Content-Type: application/json  
> Content-Length: 198
> {
>   "add-listener" : {
>     "event":"postCommit",
>     "name":"newlistener",
>     "class":"solr.RunExecutableListener",
>     "exe":"ANYCOMMAND",
>     "dir":"/usr/bin/",
>     "args":["ANYARGS"]
>   }
> }
> {noformat}
> Parameters "exe", "args" and "dir" can be crafted throught the HTTP request during modification
of the collection's config. This means that anybody who can send a HTTP request to Solr API
is able to execute arbitrary shell commands when "postCommit" event is fired. It leads to
execution of arbitrary remote code for a remote attacker.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message