[jira] [Commented] (SOLR-16777) Schema Designer blindly "trusts" potentially malicious configset

[Houston Putman (Jira)]

    [ 
https://issues.apache.org/jira/browse/SOLR-16777?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17741756#comment-17741756
 ] 

Houston Putman commented on SOLR-16777:
---------------------------------------

I added a patch that should use the built-in trustedness of the configSet being 
used, when designing with the schema designer. If the user uploads a custom 
file to the configSet using the schema designer APIs, it can only remove the 
trust (if the user is not authenticated). It can never add trust to an 
untrusted configSet, because there is no way to replace all files using the 
schema designer APIs. (And we aren't going to give a whole configSet trust just 
because one file is now "trusted")

> Schema Designer blindly "trusts" potentially malicious configset
> ----------------------------------------------------------------
>
>                 Key: SOLR-16777
>                 URL: https://issues.apache.org/jira/browse/SOLR-16777
>             Project: Solr
>          Issue Type: Bug
>    Affects Versions: 9.0, 8.10, 8.11.2, 9.1, 9.2, 9.1.1
>            Reporter: Ishan Chattopadhyaya
>            Assignee: Ishan Chattopadhyaya
>            Priority: Blocker
>             Fix For: 9.3
>
>         Attachments: SOLR-16777-1.patch, SOLR-16777.patch, 
> Screenshot_20230503_165913.jpg, Screenshot_20230503_181534.jpg
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> When configset API is used to upload configsets by unauthenticated users, a 
> "trusted: false" flag is set on the configset. Such configsets cannot use the 
> <lib> directive to load classes while creating/loading collections. Details 
> here: https://solr.apache.org/guide/8_10/configsets-api.html#configsets-upload
> Unfortunately, this safety mechanism was bypassed in the schema designer when 
> a isConfigsetTrusted was hardcoded to true. 
> [https://github.com/apache/solr/blob/branch_9_1/solr/core/src/java/org/apache/solr/handler/designer/SchemaDesignerConfigSetHelper.java#L697]
>  
> As per Skay's report 
> [https://twitter.com/Skay_00/status/1646870062601756672|https://twitter.com/Skay_00/status/1646870062601756672),]
>  remote code execution is possible in unsecured Solr clusters where 
> authentication hasn't been enabled. This ticket is to mitigate one aspect of 
> that, i.e. the schema designer vulnerability. While our recommendation to all 
> users remains the same, i.e. to secure Solr installations with authentication 
> and authorization, I thank Skay for his detailed report.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org