[
https://issues.apache.org/jira/browse/SOLR-11482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16209388#comment-16209388
]
Yonik Seeley edited comment on SOLR-11482 at 10/18/17 2:18 PM:
---------------------------------------------------------------
It's interesting... I didn't expect this issue to have its own CVE.
Although I agree with it's removal (it hasn't been needed since we stopped
using rsync for replication long ago), RunExecutableListener isn't really an
exploit - it just makes things potentially worse when other exploits allow you
to somehow edit the config.
For example: A user of Solr 5.4 (before Solr's xmlparser was hooked up to
Lucene's xml parser) would not vulnerable just because they lack this patch.
That's important for users to understand.
EDIT: my mistake, this did not get it's own CVE, it is the same as SOLR-11477
was (Author: ysee...@gmail.com):
It's interesting... I didn't expect this issue to have its own CVE.
Although I agree with it's removal (it hasn't been needed since we stopped
using rsync for replication long ago), RunExecutableListener isn't really an
exploit - it just makes things potentially worse when other exploits allow you
to somehow edit the config.
For example: A user of Solr 5.4 (before Solr's xmlparser was hooked up to
Lucene's xml parser) would not vulnerable just because they lack this patch.
That's important for users to understand.
> CVE-2017-12629: Remove RunExecutableListener from Solr
> ------------------------------------------------------
>
> Key: SOLR-11482
> URL: https://issues.apache.org/jira/browse/SOLR-11482
> Project: Solr
> Issue Type: Task
> Security Level: Public(Default Security Level. Issues are Public)
> Components: security, Server
> Reporter: Uwe Schindler
> Assignee: Uwe Schindler
> Priority: Blocker
> Fix For: 5.5.5, 7.1, 7.2, master (8.0), 6.6.2
>
> Attachments: SOLR-11482-6.6.patch,
> SOLR-11482-branch_5_5-restore-logged-warning.patch, SOLR-11482.patch
>
>
> This class should no longer be needed, as replication can be done through
> Solr Cloud or via ReplicationHandler. The current listener is a security
> risk, as it can be configured through the Config API. See the report:
> Solr "RunExecutableListener" class can be used to execute arbitrary commands
> on specific events, for example after each update query. The problem is that
> such listener can be enabled with any parameters just by using Config API
> with add-listener command.
> {noformat}
> POST /solr/newcollection/config HTTP/1.1
> Host: localhost:8983
> Connection: close
> Content-Type: application/json
> Content-Length: 198
> {
> "add-listener" : {
> "event":"postCommit",
> "name":"newlistener",
> "class":"solr.RunExecutableListener",
> "exe":"ANYCOMMAND",
> "dir":"/usr/bin/",
> "args":["ANYARGS"]
> }
> }
> {noformat}
> Parameters "exe", "args" and "dir" can be crafted throught the HTTP request
> during modification of the collection's config. This means that anybody who
> can send a HTTP request to Solr API is able to execute arbitrary shell
> commands when "postCommit" event is fired. It leads to execution of arbitrary
> remote code for a remote attacker.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
