[jira] [Commented] (SOLR-13750) [CVE-2019-12401] XML Bomb in Apache Solr versions prior to 5.0.0

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (SOLR-13750) [CVE-2019-12401] XML Bomb in Apache Solr versions prior to 5.0.0

Sebastian Nagel (Jira)

    [ https://issues.apache.org/jira/browse/SOLR-13750?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16927949#comment-16927949 ]

Tomás Fernández Löbbe commented on SOLR-13750:
----------------------------------------------

This issue was fixed by https://issues.apache.org/jira/browse/SOLR-6830.

> [CVE-2019-12401] XML Bomb in Apache Solr versions prior to 5.0.0
> ----------------------------------------------------------------
>
>                 Key: SOLR-13750
>                 URL: https://issues.apache.org/jira/browse/SOLR-13750
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public)
>    Affects Versions: 1.3, 1.4, 1.4.1, 3.1, 3.2, 3.3, 3.4, 3.5, 3.6, 3.6.1, 3.6.2, 4.0, 4.1, 4.2, 4.2.1, 4.3, 4.3.1, 4.4, 4.5, 4.5.1, 4.6, 4.6.1, 4.7, 4.7.1, 4.7.2, 4.8, 4.8.1, 4.9, 4.9.1, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4
>            Reporter: Tomás Fernández Löbbe
>            Priority: Major
>             Fix For: 5.0
>
>
> Severity: Medium
> Vendor: The Apache Software Foundation
> Versions Affected:
>  1.3.0 to 1.4.1
>  3.1.0 to 3.6.2
>  4.0.0 to 4.10.4
> Description:
>  Solr versions prior to 5.0.0 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it’s update handler.
>  By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs.
> Mitigation:
>  * Upgrade to Apache Solr 5.0 or later.
>  * Ensure your network settings are configured so that only trusted traffic is allowed to post documents to the running Solr instances.
> Credit:
>  Matei "Mal" Badanoiu



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]