Re: [ANNOUNCE] [SECURITY] CVE-2017-7660: Security Vulnerability in secure inter-node communication in Apache Solr

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: [ANNOUNCE] [SECURITY] CVE-2017-7660: Security Vulnerability in secure inter-node communication in Apache Solr

Ramesh Komuravelli
Hey all, Commvault is looking for GlusterFS developers, this role is going to be very crucial and working closely with CTO. If anyone interested... please mail me.

Regards,
Ramesh K

> On 07-Jul-2017, at 7:14 PM, Shalin Shekhar Mangar <[hidden email]> wrote:
>
> CVE-2017-7660: Security Vulnerability in secure inter-node
> communication in Apache Solr
>
> Severity: Important
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Solr 5.3 to 5.5.4
> Solr 6.0 to 6.5.1
>
> Description:
>
> Solr uses a PKI based mechanism to secure inter-node communication
> when security is enabled. It is possible to create a specially crafted
> node name that does not exist as part of the cluster and point it to a
> malicious node. This can trick the nodes in cluster to believe that
> the malicious node is a member of the cluster. So, if Solr users have
> enabled BasicAuth authentication mechanism using the BasicAuthPlugin
> or if the user has implemented a custom Authentication plugin, which
> does not implement either "HttpClientInterceptorPlugin" or
> "HttpClientBuilderPlugin", his/her servers are vulnerable to this
> attack. Users who only use SSL without basic authentication or those
> who use Kerberos are not affected.
>
> Mitigation:
> 6.x users should upgrade to 6.6
> 5.x users should obtain the latest source from git and apply this patch:
> http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/2f5ecbcf
>
> Credit:
> This issue was discovered by Noble Paul of Lucidworks Inc.
>
> References:
> https://issues.apache.org/jira/browse/SOLR-10624
> https://wiki.apache.org/solr/SolrSecurity
>
> --
> The Lucene PMC
***************************Legal Disclaimer***************************
"This communication may contain confidential and privileged material for the
sole use of the intended recipient. Any unauthorized review, use or distribution
by others is strictly prohibited. If you have received the message by mistake,
please advise the sender by reply email and delete the message. Thank you."
**********************************************************************