Hi, We've got users on Solr 6 (and use Jackson ourselves), so I had a look at this CVE and related Jackson exploits, to see whether they are actually exploitable in Solr.
- What parts of Solr actually use Jackson (I thought noggit was used for the JSON de/serialization)? - Do any of the object mappers used enable default typing? (which is necessary to exploit CVE-2017-7525 https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/ ) - Is polymorphism used with Jackson without restricting subtypes (e.g. @JsonTypeInfo with JsonTypeInfo.Id.CLASS, which allows other exploits like CVE-2017-15095 https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 ) Aside from test classes, the only users of Jackson appear to be - org.apache.solr.analytics.AnalyticsRequestParser - org.apache.solr.prometheus.scraper.SolrScraper >From what I can see in the source on master and the 7_7 branch default typing isn't ever enabled, and @JsonTypeInfo is restricted to named subtypes. In the 6_6 branch source it seems Jackson is only used in a handful of tests. Prior to Solr 6.3 (https://issues.apache.org/jira/browse/SOLR-9589) org.apache.solr.client.solrj.response.DelegationTokenResponse.JsonMapResponseParser constructed an ObjectMapper without configuration. So, as far as I can see, the polymorphic deserialization Remote Code Execution vulnerabilities on (older versions of) Jackson shouldn't actually be exploitable in Solr 7.7... but I could be wrong, and new vulnerabilities may still be discovered. Colvin On Wed, 18 Dec 2019 at 18:16, Kevin Risden <kris...@apache.org> wrote: > There are no specific plans for any 7.x branch releases that I'm aware of. > Specifically for SOLR-13110, that required upgrading Hadoop 2.x to 3.x for > specifically jackson-mapper-asl and there are no plans to backport that to > 7.x even if there was a future 7.x release. > > Kevin Risden > > > On Wed, Dec 18, 2019 at 8:44 AM Mehai, Lotfi <lme...@ptfs.com.invalid> > wrote: > > > Hello; > > > > We are using Solr 7.7.0. The CVE-2017-7525 have been fixed for Solr 8.x. > > https://issues.apache.org/jira/browse/SOLR-13110 > > > > When the fix will be available for Solr 7.7.x > > > > Lotfi > > >
