[
https://issues.apache.org/jira/browse/SOLR-13301?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16790291#comment-16790291
]
charlie zha commented on SOLR-13301:
------------------------------------
Because our Solr server ports are not open to public network, only VPN or
SFTP(White List IP ranges) can connect to Solr server directly.
My question was, if we can access from public network to Solr server with HTTP
POST payload or any coding? For instance, a computer host from my home or
office.
Thanks,
Charlie
> [CVE-2019-0192] Deserialization of untrusted data via jmx.serviceUrl
> --------------------------------------------------------------------
>
> Key: SOLR-13301
> URL: https://issues.apache.org/jira/browse/SOLR-13301
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: config-api
> Affects Versions: 5.0, 5.1, 5.2, 5.2.1, 5.3, 5.3.1, 5.3.2, 5.4, 5.4.1,
> 5.5, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 6.0, 6.0.1, 6.1, 6.1.1, 6.2, 6.2.1,
> 6.3, 6.4, 6.4.1, 6.4.2, 6.5, 6.5.1, 6.6, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5
> Reporter: Tomás Fernández Löbbe
> Priority: Critical
> Fix For: 7.0
>
> Attachments: SOLR-13301.patch
>
>
> From the vulnerability reporter:
> {quote}ConfigAPI allows to set a jmx.serviceUrl that will create a new
> [JMXConnectorServerFactory|https://docs.oracle.com/javase/7/docs/api/javax/management/remote/JMXConnectorServerFactory.html]
> and trigger a call with 'bind' operation to a target RMI/LDAP server. A
> malicious RMI server could respond with arbitrary object that will be
> deserialized on the Solr side using java's ObjectInputStream, which is
> considered unsafe. This type of vulnerabilities can be exploited with
> ysoserial tool. Depending on the target classpath, an attacker can use one of
> the "gadget chains" to trigger Remote Code Execution on the Solr side.
> {quote}
> Mitigation:
> Any of the following are enough to prevent this vulnerability:
> * Upgrade to Apache Solr 7.0 or later.
> * Disable the ConfigAPI if not in use, by running Solr with the system
> property {{disable.configEdit=true}}
> * If upgrading or disabling the Config API are not viable options, apply
> [^SOLR-13301.patch] and re-compile Solr.
> * Ensure your network settings are configured so that only trusted traffic
> is allowed to ingress/egress your hosts running Solr.
> Since Solr 7.0, JMX server is no longer configurable via API
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
