lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colvin Cowie <colvin.cowie....@gmail.com>
Subject Re: CVE-2017-7525 fix for Solr 7.7.x
Date Thu, 19 Dec 2019 16:59:03 GMT
Sorry, in Solr 8 and master there are some additional users of Jackson. But
they still don't appear to use default typing or unrestricted subtypes.


On Thu, 19 Dec 2019 at 16:50, Colvin Cowie <colvin.cowie.dev@gmail.com>
wrote:

> Hi,
>
> We've got users on Solr 6 (and use Jackson ourselves), so I had a look at
> this CVE and related Jackson exploits, to see whether they are actually
> exploitable in Solr.
>
>    - What parts of Solr actually use Jackson (I thought noggit was used
>    for the JSON de/serialization)?
>    - Do any of the object mappers used enable default typing? (which is
>    necessary to exploit CVE-2017-7525
>    https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/
>    )
>    - Is polymorphism used with Jackson without restricting subtypes (e.g.
>    @JsonTypeInfo with JsonTypeInfo.Id.CLASS, which allows other exploits like
>    CVE-2017-15095
>    https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
>    )
>
> Aside from test classes, the only users of Jackson appear to be
>
>    - org.apache.solr.analytics.AnalyticsRequestParser
>    - org.apache.solr.prometheus.scraper.SolrScraper
>
> From what I can see in the source on master and the 7_7 branch default
> typing isn't ever enabled, and @JsonTypeInfo is restricted to named
> subtypes.
>
> In the 6_6 branch source it seems Jackson is only used in a handful of
> tests.
> Prior to Solr 6.3 (https://issues.apache.org/jira/browse/SOLR-9589)
> org.apache.solr.client.solrj.response.DelegationTokenResponse.JsonMapResponseParser
> constructed an ObjectMapper without configuration.
>
> So, as far as I can see, the polymorphic deserialization Remote Code
> Execution vulnerabilities on (older versions of) Jackson shouldn't actually
> be exploitable in Solr 7.7... but I could be wrong, and new vulnerabilities
> may still be discovered.
>
> Colvin
>
>
> On Wed, 18 Dec 2019 at 18:16, Kevin Risden <krisden@apache.org> wrote:
>
>> There are no specific plans for any 7.x branch releases that I'm aware of.
>> Specifically for SOLR-13110, that required upgrading Hadoop 2.x to 3.x for
>> specifically jackson-mapper-asl and there are no plans to backport that to
>> 7.x even if there was a future 7.x release.
>>
>> Kevin Risden
>>
>>
>> On Wed, Dec 18, 2019 at 8:44 AM Mehai, Lotfi <lmehai@ptfs.com.invalid>
>> wrote:
>>
>> > Hello;
>> >
>> > We are using Solr 7.7.0. The CVE-2017-7525 have been fixed for Solr 8.x.
>> > https://issues.apache.org/jira/browse/SOLR-13110
>> >
>> > When the fix will be available for Solr 7.7.x
>> >
>> > Lotfi
>> >
>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message