Date: Mon, 21 Nov 2022 13:12:19 -0500 From: David Smiley <dsmiley@...che.org> To: security <security@...che.org>, oss-security@...ts.openwall.com, Andreas Hubold <andreas.hubold@...emedia.com>, users@...r.apache.org, dev@...r.apache.org Subject: Apache Solr is vulnerable to CVE-2022-39135 via /sql handler Vendor: The Apache Software Foundation Versions Affected: Solr 6.5 to 8.11.2 Solr 9.0 Description: Apache Calcite has a vulnerability, CVE-2022-39135, that is exploitable in Apache Solr in SolrCloud mode. If an untrusted user can supply SQL queries to Solr’s “/sql” handler (even indirectly via proxies / other apps), then the user could perform an XML External Entity (XXE) attack. This might have been exposed by some deployers of Solr in order for internal analysts to use JDBC based tooling, but would have unlikely been granted to wider audiences. Impact: An XXE attack may lead to the disclosure of confidential data, denial of service, server side request forgery (SSRF), port scanning from the Solr node, and other system impacts. Mitigation: Most Solr installations don’t make use of the SQL functionality. For such users, the standard Solr security advice of using a firewall should be adequate. Nonetheless, the functionality can be disabled. As of Solr 9, it has been modularized and thus became opt-in, so nothing is needed for Solr 9 users that don’t use it. Users *not* using SolrCloud can’t use the functionality at all. For other users that wish to disable it, you must register a request handler that masks the underlying functionality in solrconfig.xml like so: <requestHandler name="/sql" class="solr.NotFoundRequestHandler"/> Users needing this SQL functionality are forced to upgrade to Solr 9.1. If Solr 8.11.3 is released, then it will be an option as well. Simply replacing Calcite and other JAR files may mostly work but could fail depending on the particulars of the query. Users interested in this or in patching their own versions of Solr should examine SOLR-16421 for a source patch. Credit: Andreas Hubold at CoreMedia GmbH References: https://nvd.nist.gov/vuln/detail/CVE-2022-39135 https://issues.apache.org/jira/browse/SOLR-16421
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.