www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shalin Shekhar Mangar <sha...@apache.org>
Subject [ANNOUNCE] [SECURITY] CVE-2017-12629: Several critical vulnerabilities discovered in Apache Solr (XXE & RCE)
Date Thu, 19 Oct 2017 10:07:25 GMT
CVE-2017-12629: Several critical vulnerabilities discovered in Apache
Solr (XXE & RCE)

Severity: Critical

Vendor:
The Apache Software Foundation

Versions Affected:
Solr 5.5.0 to 5.5.4
Solr 6.0.0 to 6.6.1
Solr 7.0.0 to 7.0.1

Description:
The details of this vulnerability were reported on public mailing
lists. See https://s.apache.org/FJDl

The first vulnerability relates to XML external entity expansion in
the XML Query Parser which is available, by default, for any query
request with parameters deftype=xmlparser. This can be exploited to
upload malicious data to the /upload request handler. It can also be
used as Blind XXE using ftp wrapper in order to read arbitrary local
files from the solr server.

The second vulnerability relates to remote code execution using the
RunExecutableListener available on all affected versions of Solr.

At the time of the above report, this was a 0-day vulnerability with a
working exploit affecting the versions of Solr mentioned in the
previous section. However, mitigation steps were announced to protect
Solr users the same day. See
https://lucene.apache.org/solr/news.html#12-october-2017-please-secure-your-apache-solr-servers-since-a-zero-day-exploit-has-been-reported-on-a-public-mailing-list

Mitigation:
Users are advised to upgrade to either Solr 6.6.2 or Solr 7.1.0
releases both of which address the two vulnerabilities. Once upgrade is
complete, no other steps are required.

If users are unable to upgrade to Solr 6.6.2 or Solr 7.1.0 then they
are advised to restart their Solr instances with the system parameter
`-Ddisable.configEdit=true`. This will disallow any changes to be made
to your configurations via the Config API. This is a key factor in
this vulnerability, since it allows GET requests to add the
RunExecutableListener to your config. Users are also advised to re-map
the XML Query Parser to another parser to mitigate the XXE
vulnerability. For example, adding the following to the solrconfig.xml
file re-maps the xmlparser to the edismax parser:
<queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin"/>

Credit:
Michael Stepankin (JPMorgan Chase)
Olga Barinova (Gotham Digital Science)

References:
https://issues.apache.org/jira/browse/SOLR-11482
https://issues.apache.org/jira/browse/SOLR-11477
https://wiki.apache.org/solr/SolrSecurity

-- 
Regards,
Shalin Shekhar Mangar.

Mime
View raw message