[ https://issues.apache.org/jira/browse/SOLR-13301?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tomás Fernández Löbbe updated SOLR-13301: ----------------------------------------- Security: Public (was: Private (Security Issue)) > [CVE-2019-0192] Deserialization of untrusted data via jmx.serviceUrl > -------------------------------------------------------------------- > > Key: SOLR-13301 > URL: https://issues.apache.org/jira/browse/SOLR-13301 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: config-api > Affects Versions: 5.0, 5.1, 5.2, 5.2.1, 5.3, 5.3.1, 5.3.2, 5.4, 5.4.1, > 5.5, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 6.0, 6.0.1, 6.1, 6.1.1, 6.2, 6.2.1, > 6.3, 6.4, 6.4.1, 6.4.2, 6.5, 6.5.1, 6.6, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5 > Reporter: Tomás Fernández Löbbe > Priority: Critical > Fix For: 7.0 > > Attachments: SOLR-13301.patch > > > From the vulnerability reporter: > {quote}ConfigAPI allows to set a jmx.serviceUrl that will create a new > [JMXConnectorServerFactory|https://docs.oracle.com/javase/7/docs/api/javax/management/remote/JMXConnectorServerFactory.html] > and trigger a call with 'bind' operation to a target RMI/LDAP server. A > malicious RMI server could respond with arbitrary object that will be > deserialized on the Solr side using java's ObjectInputStream, which is > considered unsafe. This type of vulnerabilities can be exploited with > ysoserial tool. Depending on the target classpath, an attacker can use one of > the "gadget chains" to trigger Remote Code Execution on the Solr side. > {quote} > Mitigation: > Any of the following are enough to prevent this vulnerability: > * Upgrade to Apache Solr 7.0 or later. > * Disable the ConfigAPI if not in use, by running Solr with the system > property {{disable.configEdit=true}} > * If upgrading or disabling the Config API are not viable options, apply > [^SOLR-13301.patch] and re-compile Solr. > * Ensure your network settings are configured so that only trusted traffic > is allowed to ingress/egress your hosts running Solr. > Since Solr 7.0, JMX server is no longer configurable via API -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org