lucene-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ramesh Komuravelli <rkomurave...@commvault.com>
Subject Re: [ANNOUNCE] [SECURITY] CVE-2017-7660: Security Vulnerability in secure inter-node communication in Apache Solr
Date Fri, 07 Jul 2017 17:06:57 GMT
Hey all, Commvault is looking for GlusterFS developers, this role is going to be very crucial
and working closely with CTO. If anyone interested... please mail me.

Regards,
Ramesh K

> On 07-Jul-2017, at 7:14 PM, Shalin Shekhar Mangar <shalin@apache.org> wrote:
> 
> CVE-2017-7660: Security Vulnerability in secure inter-node
> communication in Apache Solr
> 
> Severity: Important
> 
> Vendor:
> The Apache Software Foundation
> 
> Versions Affected:
> Solr 5.3 to 5.5.4
> Solr 6.0 to 6.5.1
> 
> Description:
> 
> Solr uses a PKI based mechanism to secure inter-node communication
> when security is enabled. It is possible to create a specially crafted
> node name that does not exist as part of the cluster and point it to a
> malicious node. This can trick the nodes in cluster to believe that
> the malicious node is a member of the cluster. So, if Solr users have
> enabled BasicAuth authentication mechanism using the BasicAuthPlugin
> or if the user has implemented a custom Authentication plugin, which
> does not implement either "HttpClientInterceptorPlugin" or
> "HttpClientBuilderPlugin", his/her servers are vulnerable to this
> attack. Users who only use SSL without basic authentication or those
> who use Kerberos are not affected.
> 
> Mitigation:
> 6.x users should upgrade to 6.6
> 5.x users should obtain the latest source from git and apply this patch:
> http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/2f5ecbcf
> 
> Credit:
> This issue was discovered by Noble Paul of Lucidworks Inc.
> 
> References:
> https://issues.apache.org/jira/browse/SOLR-10624
> https://wiki.apache.org/solr/SolrSecurity
> 
> -- 
> The Lucene PMC
***************************Legal Disclaimer***************************
"This communication may contain confidential and privileged material for the
sole use of the intended recipient. Any unauthorized review, use or distribution
by others is strictly prohibited. If you have received the message by mistake,
please advise the sender by reply email and delete the message. Thank you."
**********************************************************************
Mime
View raw message