lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colvin Cowie <>
Subject Re: CVE-2017-7525 fix for Solr 7.7.x
Date Thu, 19 Dec 2019 16:50:00 GMT

We've got users on Solr 6 (and use Jackson ourselves), so I had a look at
this CVE and related Jackson exploits, to see whether they are actually
exploitable in Solr.

   - What parts of Solr actually use Jackson (I thought noggit was used for
   the JSON de/serialization)?
   - Do any of the object mappers used enable default typing? (which is
   necessary to exploit CVE-2017-7525
   - Is polymorphism used with Jackson without restricting subtypes (e.g.
   @JsonTypeInfo with JsonTypeInfo.Id.CLASS, which allows other exploits like

Aside from test classes, the only users of Jackson appear to be

   - org.apache.solr.prometheus.scraper.SolrScraper

>From what I can see in the source on master and the 7_7 branch default
typing isn't ever enabled, and @JsonTypeInfo is restricted to named

In the 6_6 branch source it seems Jackson is only used in a handful of
Prior to Solr 6.3 (
constructed an ObjectMapper without configuration.

So, as far as I can see, the polymorphic deserialization Remote Code
Execution vulnerabilities on (older versions of) Jackson shouldn't actually
be exploitable in Solr 7.7... but I could be wrong, and new vulnerabilities
may still be discovered.


On Wed, 18 Dec 2019 at 18:16, Kevin Risden <> wrote:

> There are no specific plans for any 7.x branch releases that I'm aware of.
> Specifically for SOLR-13110, that required upgrading Hadoop 2.x to 3.x for
> specifically jackson-mapper-asl and there are no plans to backport that to
> 7.x even if there was a future 7.x release.
> Kevin Risden
> On Wed, Dec 18, 2019 at 8:44 AM Mehai, Lotfi <>
> wrote:
> > Hello;
> >
> > We are using Solr 7.7.0. The CVE-2017-7525 have been fixed for Solr 8.x.
> >
> >
> > When the fix will be available for Solr 7.7.x
> >
> > Lotfi
> >

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message