Thanks Shawn. On Fri, Feb 12, 2021 at 7:43 PM Shawn Heisey <apa...@elyograg.org> wrote:
> On 2/12/2021 11:17 AM, Rick Tham wrote: > > I am trying to figure out if the following is an additioanal valid > > mitigation step for CVE-2019-17558 on SOLR 6.1. None of our > solrconfig.xml > > contains the lib references to the velocity jar files as follows: > > > > <lib dir="${solr.install.dir:../../../..}/contrib/velocity/lib" > > regex="..jar" /> > > l<ib dir="${solr.install.dir:../../../..}/dist/" > > regex="solr-velocity-\d..jar" /> > > > > It doesn't appear that you can add these jars references using the config > > API. Without these references, you are not able to flip the > > params.resource.loader.enabled to true using the config API. If you are > not > > able to flip the flag and none of your cores have these lib references > then > > is the risk present? > > In order to be vulnerable to that problem, all of the following things > must be true. If any of them is NOT true, then this vulnerability does > not apply: > > * The velocity jars must be loaded. A common way for this is the <lib> > configuration you mentioned, but there are other ways. Those other ways > require human intervention to move the actual files. > * Your config must *use* the jars, by containing a velocity config. > * The params resource loader must be enabled in the velocity config. > Note that the "velocity.params.resource.loader.enabled" flag only > applies if the velocity config in solrconfig.xml *references* that flag. > * Your Solr server must be reachable to unauthorized parties who would > exploit the vulnerability. > > I have no idea whether any of this config can be changed remotely. I > have never used the config API. But if your Solr server is not > reachable to bad guys, it won't matter. > > Simply controlling who can reach the Solr server is the easiest way to > avoid being vulnerable to anything. Although there are security > mechanisms available, Solr is not designed to be publicly reachable. It > should be heavily firewalled. > > The velocity response writer usually requires end users to have direct > access to the Solr server for it to be worth something. We STRONGLY > discourage leaving Solr exposed. > > Thanks, > Shawn >