Date: Mon, 12 Oct 2020 11:39:50 -0700 From: Tomas Fernandez Lobbe <tflobbe@...che.org> To: oss-security@...ts.openwall.com Cc: private@...ene.apache.org Subject: [CVE-2020-13957] The checks added to unauthenticated configset uploads in Apache Solr can be circumvented Severity: High Vendor: The Apache Software Foundation Versions Affected: 6.6.0 to 6.6.5 7.0.0 to 7.7.3 8.0.0 to 8.6.2 Description: Solr prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions. Mitigation: Any of the following are enough to prevent this vulnerability: * Disable UPLOAD command in ConfigSets API if not used by setting the system property: "configset.upload.enabled" to "false"  * Use Authentication/Authorization and make sure unknown requests aren't allowed  * Upgrade to Solr 8.6.3 or greater. * If upgrading is not an option, consider applying the patch in SOLR-14663 () * No Solr API, including the Admin UI, is designed to be exposed to non-trusted parties. Tune your firewall so that only trusted computers and people are allowed access Credit: Tomás Fernández Löbbe, András Salamon References:  https://lucene.apache.org/solr/guide/8_6/configsets-api.html  https://lucene.apache.org/solr/guide/8_6/authentication-and-authorization-plugins.html  https://issues.apache.org/jira/browse/SOLR-14663  https://issues.apache.org/jira/browse/SOLR-14925  https://wiki.apache.org/solr/SolrSecurity
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.