lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tomás Fernández Löbbe (Jira) <j...@apache.org>
Subject [jira] [Commented] (SOLR-13750) [CVE-2019-12401] XML Bomb in Apache Solr versions prior to 5.0.0
Date Wed, 11 Sep 2019 19:38:00 GMT

    [ https://issues.apache.org/jira/browse/SOLR-13750?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16927949#comment-16927949
] 

Tomás Fernández Löbbe commented on SOLR-13750:
----------------------------------------------

This issue was fixed by https://issues.apache.org/jira/browse/SOLR-6830.

> [CVE-2019-12401] XML Bomb in Apache Solr versions prior to 5.0.0
> ----------------------------------------------------------------
>
>                 Key: SOLR-13750
>                 URL: https://issues.apache.org/jira/browse/SOLR-13750
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 1.3, 1.4, 1.4.1, 3.1, 3.2, 3.3, 3.4, 3.5, 3.6, 3.6.1, 3.6.2, 4.0,
4.1, 4.2, 4.2.1, 4.3, 4.3.1, 4.4, 4.5, 4.5.1, 4.6, 4.6.1, 4.7, 4.7.1, 4.7.2, 4.8, 4.8.1, 4.9,
4.9.1, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4
>            Reporter: Tomás Fernández Löbbe
>            Priority: Major
>             Fix For: 5.0
>
>
> Severity: Medium
> Vendor: The Apache Software Foundation
> Versions Affected:
>  1.3.0 to 1.4.1
>  3.1.0 to 3.6.2
>  4.0.0 to 4.10.4
> Description:
>  Solr versions prior to 5.0.0 are vulnerable to an XML resource consumption attack (a.k.a.
Lol Bomb) via it’s update handler.
>  By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern
that will expand when the server parses the XML causing OOMs.
> Mitigation:
>  * Upgrade to Apache Solr 5.0 or later.
>  * Ensure your network settings are configured so that only trusted traffic is allowed
to post documents to the running Solr instances.
> Credit:
>  Matei "Mal" Badanoiu



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message