Date: Wed, 4 Jul 2018 17:15:13 -0400 From: will martin <wmartinusa@...il.com> To: general@...ene.apache.org Cc: announce@...che.org, dev@...ene.apache.org, solr-user@...ene.apache.org, security <security@...che.org>, oss-security@...ts.openwall.com Subject: Re: [SECURITY] CVE-2018-8026: XXE vulnerability due to Apache Solr configset upload (exchange rate provider config / enum field config / TIKA parsecontext) The cve id was reserved in April. The jira ticket 1 mo ago. Is this the first notice to this list? Thx On Wed, Jul 4, 2018, 12:56 PM Uwe Schindler <uschindler@...che.org> wrote: > CVE-2018-8026: XXE vulnerability due to Apache Solr configset upload > (exchange rate provider config / enum field config / TIKA parsecontext) > > Severity: High > > Vendor: > The Apache Software Foundation > > Versions Affected: > Solr 6.0.0 to 6.6.4 > Solr 7.0.0 to 7.3.1 > > Description: > The details of this vulnerability were reported by mail to the Apache > security mailing list. > This vulnerability relates to an XML external entity expansion (XXE) in > Solr > config files (currency.xml, enumsConfig.xml referred from schema.xml, > TIKA parsecontext config file). In addition, Xinclude functionality > provided > in these config files is also affected in a similar way. The vulnerability > can > be used as XXE using file/ftp/http protocols in order to read arbitrary > local files from the Solr server or the internal network. The manipulated > files can be uploaded as configsets using Solr's API, allowing to exploit > that vulnerability. See  for more details. > > Mitigation: > Users are advised to upgrade to either Solr 6.6.5 or Solr 7.4.0 releases > both > of which address the vulnerability. Once upgrade is complete, no other > steps > are required. Those releases only allow external entities and Xincludes > that > refer to local files / zookeeper resources below the Solr instance > directory > (using Solr's ResourceLoader); usage of absolute URLs is denied. Keep in > mind, that external entities and XInclude are explicitly supported to > better > structure config files in large installations. Before Solr 6 this was no > problem, as config files were not accessible through the APIs. > > If users are unable to upgrade to Solr 6.6.5 or Solr 7.4.0 then they are > advised to make sure that Solr instances are only used locally without > access > to public internet, so the vulnerability cannot be exploited. In addition, > reverse proxies should be guarded to not allow end users to reach the > configset APIs. Please refer to  on how to correctly secure Solr > servers. > > Solr 5.x and earlier are not affected by this vulnerability; those versions > do not allow to upload configsets via the API. Nevertheless, users should > upgrade those versions as soon as possible, because there may be other ways > to inject config files through file upload functionality of the old web > interface. Those versions are no longer maintained, so no deep analysis was > done. > > Credit: > Yuyang Xiao, Ishan Chattopadhyaya > > References: >  https://issues.apache.org/jira/browse/SOLR-12450 >  https://wiki.apache.org/solr/SolrSecurity > > ----- > Uwe Schindler > uschindler@...che.org > ASF Member, Apache Lucene PMC / Committer > Bremen, Germany > http://lucene.apache.org/ > > >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ