Re: [CVE-2020-13957] The checks added to unauthenticated configset uploads in Apache Solr can be circumvented

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [CVE-2020-13957] The checks added to unauthenticated configset uploads in Apache Solr can be circumvented

Bernd Fehling
Good to know that Version 6.6.6 is not affected, so I am safe ;-)

Regards
Bernd

Am 12.10.20 um 20:38 schrieb Tomas Fernandez Lobbe:

> Severity: High
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> 6.6.0 to 6.6.5
> 7.0.0 to 7.7.3
> 8.0.0 to 8.6.2
>
> Description:
> Solr prevents some features considered dangerous (which could be used for
> remote code execution) to be configured in a ConfigSet that's uploaded via
> API without authentication/authorization. The checks in place to prevent
> such features can be circumvented by using a combination of UPLOAD/CREATE
> actions.
>
> Mitigation:
> Any of the following are enough to prevent this vulnerability:
> * Disable UPLOAD command in ConfigSets API if not used by setting the
> system property: "configset.upload.enabled" to "false" [1]
> * Use Authentication/Authorization and make sure unknown requests aren't
> allowed [2]
> * Upgrade to Solr 8.6.3 or greater.
> * If upgrading is not an option, consider applying the patch in SOLR-14663
> ([3])
> * No Solr API, including the Admin UI, is designed to be exposed to
> non-trusted parties. Tune your firewall so that only trusted computers and
> people are allowed access
>
> Credit:
> Tomás Fernández Löbbe, András Salamon
>
> References:
> [1] https://lucene.apache.org/solr/guide/8_6/configsets-api.html
> [2]
> https://lucene.apache.org/solr/guide/8_6/authentication-and-authorization-plugins.html
> [3] https://issues.apache.org/jira/browse/SOLR-14663
> [4] https://issues.apache.org/jira/browse/SOLR-14925
> [5] https://wiki.apache.org/solr/SolrSecurity
>
Reply | Threaded
Open this post in threaded view
|

Re: [CVE-2020-13957] The checks added to unauthenticated configset uploads in Apache Solr can be circumvented

Tomás Fernández Löbbe
Thanks Bernd, I missed 6.6.6 because it's not marked as a released version
in Jira. 6.6.6 is also affected.

On Mon, Oct 12, 2020 at 11:47 PM Bernd Fehling <
[hidden email]> wrote:

> Good to know that Version 6.6.6 is not affected, so I am safe ;-)
>
> Regards
> Bernd
>
> Am 12.10.20 um 20:38 schrieb Tomas Fernandez Lobbe:
> > Severity: High
> >
> > Vendor: The Apache Software Foundation
> >
> > Versions Affected:
> > 6.6.0 to 6.6.5
> > 7.0.0 to 7.7.3
> > 8.0.0 to 8.6.2
> >
> > Description:
> > Solr prevents some features considered dangerous (which could be used for
> > remote code execution) to be configured in a ConfigSet that's uploaded
> via
> > API without authentication/authorization. The checks in place to prevent
> > such features can be circumvented by using a combination of UPLOAD/CREATE
> > actions.
> >
> > Mitigation:
> > Any of the following are enough to prevent this vulnerability:
> > * Disable UPLOAD command in ConfigSets API if not used by setting the
> > system property: "configset.upload.enabled" to "false" [1]
> > * Use Authentication/Authorization and make sure unknown requests aren't
> > allowed [2]
> > * Upgrade to Solr 8.6.3 or greater.
> > * If upgrading is not an option, consider applying the patch in
> SOLR-14663
> > ([3])
> > * No Solr API, including the Admin UI, is designed to be exposed to
> > non-trusted parties. Tune your firewall so that only trusted computers
> and
> > people are allowed access
> >
> > Credit:
> > Tomás Fernández Löbbe, András Salamon
> >
> > References:
> > [1] https://lucene.apache.org/solr/guide/8_6/configsets-api.html
> > [2]
> >
> https://lucene.apache.org/solr/guide/8_6/authentication-and-authorization-plugins.html
> > [3] https://issues.apache.org/jira/browse/SOLR-14663
> > [4] https://issues.apache.org/jira/browse/SOLR-14925
> > [5] https://wiki.apache.org/solr/SolrSecurity
> >
>