lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mehai, Lotfi" <lme...@ptfs.com.INVALID>
Subject Re: CVE-2017-7525 fix for Solr 7.7.x
Date Thu, 19 Dec 2019 17:04:29 GMT
Kevin & Colvin
Thanks for this details response.

Lotfi



On Thu, Dec 19, 2019 at 11:59 AM Colvin Cowie <colvin.cowie.dev@gmail.com>
wrote:

> Sorry, in Solr 8 and master there are some additional users of Jackson. But
> they still don't appear to use default typing or unrestricted subtypes.
>
>
> On Thu, 19 Dec 2019 at 16:50, Colvin Cowie <colvin.cowie.dev@gmail.com>
> wrote:
>
> > Hi,
> >
> > We've got users on Solr 6 (and use Jackson ourselves), so I had a look at
> > this CVE and related Jackson exploits, to see whether they are actually
> > exploitable in Solr.
> >
> >    - What parts of Solr actually use Jackson (I thought noggit was used
> >    for the JSON de/serialization)?
> >    - Do any of the object mappers used enable default typing? (which is
> >    necessary to exploit CVE-2017-7525
> >
> https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/
> >    )
> >    - Is polymorphism used with Jackson without restricting subtypes (e.g.
> >    @JsonTypeInfo with JsonTypeInfo.Id.CLASS, which allows other exploits
> like
> >    CVE-2017-15095
> >
> https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
> >    )
> >
> > Aside from test classes, the only users of Jackson appear to be
> >
> >    - org.apache.solr.analytics.AnalyticsRequestParser
> >    - org.apache.solr.prometheus.scraper.SolrScraper
> >
> > From what I can see in the source on master and the 7_7 branch default
> > typing isn't ever enabled, and @JsonTypeInfo is restricted to named
> > subtypes.
> >
> > In the 6_6 branch source it seems Jackson is only used in a handful of
> > tests.
> > Prior to Solr 6.3 (https://issues.apache.org/jira/browse/SOLR-9589)
> >
> org.apache.solr.client.solrj.response.DelegationTokenResponse.JsonMapResponseParser
> > constructed an ObjectMapper without configuration.
> >
> > So, as far as I can see, the polymorphic deserialization Remote Code
> > Execution vulnerabilities on (older versions of) Jackson shouldn't
> actually
> > be exploitable in Solr 7.7... but I could be wrong, and new
> vulnerabilities
> > may still be discovered.
> >
> > Colvin
> >
> >
> > On Wed, 18 Dec 2019 at 18:16, Kevin Risden <krisden@apache.org> wrote:
> >
> >> There are no specific plans for any 7.x branch releases that I'm aware
> of.
> >> Specifically for SOLR-13110, that required upgrading Hadoop 2.x to 3.x
> for
> >> specifically jackson-mapper-asl and there are no plans to backport that
> to
> >> 7.x even if there was a future 7.x release.
> >>
> >> Kevin Risden
> >>
> >>
> >> On Wed, Dec 18, 2019 at 8:44 AM Mehai, Lotfi <lmehai@ptfs.com.invalid>
> >> wrote:
> >>
> >> > Hello;
> >> >
> >> > We are using Solr 7.7.0. The CVE-2017-7525 have been fixed for Solr
> 8.x.
> >> > https://issues.apache.org/jira/browse/SOLR-13110
> >> >
> >> > When the fix will be available for Solr 7.7.x
> >> >
> >> > Lotfi
> >> >
> >>
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message