Bug 1493507 (CVE-2017-9803)

Summary: CVE-2017-9803 solr: Kerberos delegation token functionality allows to re-use authentication
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, apintea, bkundal, bmaxwell, cdewolf, chazlett, csutherl, darran.lofthouse, dimitris, dosoudil, felias, fgavrilo, gvarsami, hchiorea, jawilson, jcoleman, jolee, jondruse, jshepherd, kconner, ldimaggi, lgao, mgoldman, myarboro, nwallace, pavelp, pgier, pjurak, ppalaga, psakar, pslavice, puntogil, rnetuka, rstancel, rsvoboda, rwagner, sstavrev, tcunning, tkirby, twalsh, vhalbert, vtunka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: solr 6.6.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-20 11:34:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andrej Nemec 2017-09-20 11:33:18 UTC 
 Solr's Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an end-user or another application. There are two issues with this functionality (when using SecurityAwareZkACLProvider type of ACL provider e.g. SaslZkACLProvider).

Firstly, access to the security configuration can be leaked to users other than the solr super user. Secondly, malicious users can exploit this leaked configuration for privilege escalation to further expose/modify private data and/or disrupt operations in the Solr cluster.

References:

https://wiki.apache.org/solr/SolrSecurity
http://mail-archives.us.apache.org/mod_mbox/www-announce/201709.mbox/%3CCAOOKt53AOScg04zUh0%2BR_fcXD0C9s5mQ-OzdgYdnHz49u1KmXw@mail.gmail.com%3E
Comment 1 Andrej Nemec 2017-09-20 11:35:04 UTC 
Statement:

This issue did not affect the versions of Apache Solr as shipped with in Red Hat products.