[
https://issues.apache.org/jira/browse/SOLR-11482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16209486#comment-16209486
]
Uwe Schindler commented on SOLR-11482:
--------------------------------------
[~ysee...@gmail.com], yes that indeed true. This issue has the same CVE, as the
combination of issues makes the whole thing exploitable.
The other problem that makes this a problem is the existence of "stream.body"
parameter, which was another brick to exploit the issue. "stream.body" is now
also disabled in latest versions:
- user may use XXE to trigger a GET request another endproint of the solr
server. But they was also possible with other secruity issues we have seen
before. So XXE was just another way to send a GET request.
- A GET request should not be able to do do any changes in config,
unfortunately there is also "stream.body"! This allows to convert a GET request
to something that may change config. It may also delete indexes or insert new
documents!
- Finally the last step was the RunExecuteableListener, which allows to
actually do the bad stuff (like opening a shell): It is disabled by default /
deleted (7.1+) now, so any of the above (or other hacks we have seen before
cannot be used to launch processes).
About stream.body: I am not sure about 6.6 and 5.x and if we should handle that
there! But as this was not explicitely mentioned as a "bad thing" in the
security report, so it's not so urgent, but it is still one step towards an
exploit: SOLR-10748
> CVE-2017-12629: Remove RunExecutableListener from Solr
> ------------------------------------------------------
>
> Key: SOLR-11482
> URL: https://issues.apache.org/jira/browse/SOLR-11482
> Project: Solr
> Issue Type: Task
> Security Level: Public(Default Security Level. Issues are Public)
> Components: security, Server
> Reporter: Uwe Schindler
> Assignee: Uwe Schindler
> Priority: Blocker
> Fix For: 5.5.5, 7.1, 7.2, master (8.0), 6.6.2
>
> Attachments: SOLR-11482-6.6.patch,
> SOLR-11482-branch_5_5-restore-logged-warning.patch, SOLR-11482.patch
>
>
> This class should no longer be needed, as replication can be done through
> Solr Cloud or via ReplicationHandler. The current listener is a security
> risk, as it can be configured through the Config API. See the report:
> Solr "RunExecutableListener" class can be used to execute arbitrary commands
> on specific events, for example after each update query. The problem is that
> such listener can be enabled with any parameters just by using Config API
> with add-listener command.
> {noformat}
> POST /solr/newcollection/config HTTP/1.1
> Host: localhost:8983
> Connection: close
> Content-Type: application/json
> Content-Length: 198
> {
> "add-listener" : {
> "event":"postCommit",
> "name":"newlistener",
> "class":"solr.RunExecutableListener",
> "exe":"ANYCOMMAND",
> "dir":"/usr/bin/",
> "args":["ANYARGS"]
> }
> }
> {noformat}
> Parameters "exe", "args" and "dir" can be crafted throught the HTTP request
> during modification of the collection's config. This means that anybody who
> can send a HTTP request to Solr API is able to execute arbitrary shell
> commands when "postCommit" event is fired. It leads to execution of arbitrary
> remote code for a remote attacker.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
