[ https://issues.apache.org/jira/browse/SOLR-14925?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tomas Eduardo Fernandez Lobbe updated SOLR-14925: ------------------------------------------------- Security: Public (was: Private (Security Issue)) > CVE-2020-13957: The checks added to unauthenticated configset uploads can be > circumvented > ----------------------------------------------------------------------------------------- > > Key: SOLR-14925 > URL: https://issues.apache.org/jira/browse/SOLR-14925 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Affects Versions: 6.6, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 7.0, 7.0.1, 7.1, > 7.2, 7.2.1, 7.3, 7.3.1, 7.4, 7.5, 7.6, 7.7, 7.7.1, 7.7.2, 8.0, 8.1, 8.2, > 7.7.3, 8.1.1, 8.3, 8.4, 8.3.1, 8.5, 8.4.1, 8.6, 8.5.1, 8.5.2, 8.6.1, 8.6.2 > Reporter: Tomas Eduardo Fernandez Lobbe > Assignee: Tomas Eduardo Fernandez Lobbe > Priority: Major > Fix For: master (9.0), 8.7, 8.6.3 > > > Severity: High > Vendor: The Apache Software Foundation > Versions Affected: > 6.6.0 to 6.6.5 > 7.0.0 to 7.7.3 > 8.0.0 to 8.6.2 > Description: > Solr prevents some features considered dangerous (which could be used for > remote code execution) to be configured in a ConfigSet that's uploaded via > API without authentication/authorization. The checks in place to prevent such > features can be circumvented by using a combination of UPLOAD/CREATE actions. > Mitigation: > Any of the following are enough to prevent this vulnerability: > * Disable UPLOAD command in ConfigSets API if not used by setting the system > property: {{configset.upload.enabled}} to {{false}} [1] > * Use Authentication/Authorization and make sure unknown requests aren't > allowed [2] > * Upgrade to Solr 8.6.3 or greater. > * If upgrading is not an option, consider applying the patch in SOLR-14663 > ([3]) > * No Solr API, including the Admin UI, is designed to be exposed to > non-trusted parties. Tune your firewall so that only trusted computers and > people are allowed access > Credit: > Tomás Fernández Löbbe, András Salamon > References: > [1] https://lucene.apache.org/solr/guide/8_6/configsets-api.html > [2] > https://lucene.apache.org/solr/guide/8_6/authentication-and-authorization-plugins.html > [3] https://issues.apache.org/jira/browse/SOLR-14663 > [4] https://issues.apache.org/jira/browse/SOLR-14925 > [5] https://wiki.apache.org/solr/SolrSecurity -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org