Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAOOKt53EgrybaD+iSn-nBbvFdse-szhg=hMoDZuvUvyMme-Z=g@mail.gmail.com>
Date: Fri, 7 Jul 2017 19:14:02 +0530
From: Shalin Shekhar Mangar <shalin@...che.org>
To: Lucene mailing list <general@...ene.apache.org>, 
	"dev@...ene.apache.org" <dev@...ene.apache.org>, java-user@...ene.apache.org, 
	solr-user@...ene.apache.org, announce@...che.org, 
	security <security@...che.org>, oss-security@...ts.openwall.com, 
	bugtraq@...urityfocus.com
Cc: Noble Paul നോബിള് नोब्ळ् <noble.paul@...il.com>
Subject: [ANNOUNCE] [SECURITY] CVE-2017-7660: Security Vulnerability in secure
 inter-node communication in Apache Solr

CVE-2017-7660: Security Vulnerability in secure inter-node
communication in Apache Solr

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Solr 5.3 to 5.5.4
Solr 6.0 to 6.5.1

Description:

Solr uses a PKI based mechanism to secure inter-node communication
when security is enabled. It is possible to create a specially crafted
node name that does not exist as part of the cluster and point it to a
malicious node. This can trick the nodes in cluster to believe that
the malicious node is a member of the cluster. So, if Solr users have
enabled BasicAuth authentication mechanism using the BasicAuthPlugin
or if the user has implemented a custom Authentication plugin, which
does not implement either "HttpClientInterceptorPlugin" or
"HttpClientBuilderPlugin", his/her servers are vulnerable to this
attack. Users who only use SSL without basic authentication or those
who use Kerberos are not affected.

Mitigation:
6.x users should upgrade to 6.6
5.x users should obtain the latest source from git and apply this patch:
http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/2f5ecbcf

Credit:
This issue was discovered by Noble Paul of Lucidworks Inc.

References:
https://issues.apache.org/jira/browse/SOLR-10624
https://wiki.apache.org/solr/SolrSecurity

-- 
The Lucene PMC

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.