lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Uwe Schindler (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SOLR-11482) CVE-2017-12629: Remove RunExecutableListener from Solr
Date Wed, 18 Oct 2017 15:03:00 GMT

    [ https://issues.apache.org/jira/browse/SOLR-11482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16209486#comment-16209486
] 

Uwe Schindler commented on SOLR-11482:
--------------------------------------

[~yseeley@gmail.com], yes that indeed true. This issue has the same CVE, as the combination
of issues makes the whole thing exploitable.

The other problem that makes this a problem is the existence of "stream.body" parameter, which
was another brick to exploit the issue. "stream.body" is now also disabled in latest versions:
- user may use XXE to trigger a GET request another endproint of the solr server. But they
was also possible with other secruity issues we have seen before. So XXE was just another
way to send a GET request.
- A GET request should not be able to do do any changes in config, unfortunately there is
also "stream.body"! This allows to convert a GET request to something that may change config.
It may also delete indexes or insert new documents!
- Finally the last step was the RunExecuteableListener, which allows to actually do the bad
stuff (like opening a shell): It is disabled by default / deleted (7.1+) now, so any of the
above (or other hacks we have seen before cannot be used to launch processes).

About stream.body: I am not sure about 6.6 and 5.x and if we should handle that there! But
as this was not explicitely mentioned as a "bad thing" in the security report, so it's not
so urgent, but it is still one step towards an exploit: SOLR-10748

> CVE-2017-12629: Remove RunExecutableListener from Solr
> ------------------------------------------------------
>
>                 Key: SOLR-11482
>                 URL: https://issues.apache.org/jira/browse/SOLR-11482
>             Project: Solr
>          Issue Type: Task
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: security, Server
>            Reporter: Uwe Schindler
>            Assignee: Uwe Schindler
>            Priority: Blocker
>             Fix For: 5.5.5, 7.1, 7.2, master (8.0), 6.6.2
>
>         Attachments: SOLR-11482-6.6.patch, SOLR-11482-branch_5_5-restore-logged-warning.patch,
SOLR-11482.patch
>
>
> This class should no longer be needed, as replication can be done through Solr Cloud
or via ReplicationHandler. The current listener is a security risk, as it can be configured
through the Config API. See the report:
> Solr "RunExecutableListener" class can be used to execute arbitrary commands on specific
events, for example after each update query. The problem is that such listener can be enabled
with any parameters just by using Config API with add-listener command.
> {noformat}
> POST /solr/newcollection/config HTTP/1.1
> Host: localhost:8983
> Connection: close
> Content-Type: application/json  
> Content-Length: 198
> {
>   "add-listener" : {
>     "event":"postCommit",
>     "name":"newlistener",
>     "class":"solr.RunExecutableListener",
>     "exe":"ANYCOMMAND",
>     "dir":"/usr/bin/",
>     "args":["ANYARGS"]
>   }
> }
> {noformat}
> Parameters "exe", "args" and "dir" can be crafted throught the HTTP request during modification
of the collection's config. This means that anybody who can send a HTTP request to Solr API
is able to execute arbitrary shell commands when "postCommit" event is fired. It leads to
execution of arbitrary remote code for a remote attacker.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message