Bug 1501529 (CVE-2017-12629)
| Summary: | CVE-2017-12629 Solr: Code execution via entity expansion | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Chess Hazlett <chazlett> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | unspecified | CC: | aboyko, akurtako, alazarot, anstephe, aos-bugs, apintea, asoldano, atangrin, bbaranow, bdawidow, bkundal, bmaxwell, bmcclain, bmontgom, brian.stansberry, btofel, cdewolf, chazlett, cperry, crrobins, csutherl, darran.lofthouse, dblechte, dchen, dimitris, dkreling, dosoudil, drieden, eclipse-sig, eedri, emingora, eparis, etirelli, fgavrilo, hhorak, ibek, istudens, iweiss, java-maint, java-sig-commits, jawilson, jburrell, jcantril, jerboaa, jochrist, jokerman, jondruse, jorton, jperkins, jrokos, jshepherd, jstastny, jvanek, jwon, kconner, krathod, krzysztof.daniel, kverlaen, kwills, lef, lgao, lpetrovi, mgoldboi, mgoldman, michal.skrivanek, mnovotny, msimacek, msochure, msvehla, myarboro, nstielau, nwallace, omajid, paradhya, patrickm, pavelp, pdrozd, pgier, pjindal, pjurak, pmackay, ppalaga, psakar, pslavice, psotirop, pszubiak, puntogil, qe-baseos-apps, rgrunber, rguimara, rnetuka, rrajasek, rstancel, rsvoboda, rsynek, rzhang, sanne, sdaley, sd-operator-metering, security-response-team, sgehwolf, sherold, smaestri, sponnaga, sstavrev, sthorger, tom.jenkinson, twalsh, tzimanyi, vtunka, ykaul, ylavi, zbyszek |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | lucene-solr 5.5.5, lucene-solr 6.6.2, lucene-solr 7.1, lucene-solr 7.2, lucene-solr 8.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
It was found that Apache Lucene would accept an object from an unauthenticated user that could be manipulated through subsequent post requests. An attacker could use this flaw to assemble an object that could permit execution of arbitrary code if the server enabled Apache Solr's Config API.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-12-13 09:40:19 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1501838, 1501839, 1501840, 1501841, 1504621, 1504622, 1504624, 1504625, 1525800 | ||
| Bug Blocks: | 1501395, 1501772, 1507638, 1509818, 1527613 | ||
|
Description
Chess Hazlett
2017-10-12 19:11:42 UTC
Satellite 6.2 and later do not ship lucene so are not vulnerable to this. Satellite 6.0 and 6.1 ship lucene v.4 which is not vulnerable to this issue. SAM 1.x ships an old version of lucene (v.3) that is not vulnerable to this issue, additionally the affected class does not appear to be used. Mitigation: Until fixes are available, all Solr users are advised to restart their Solr instances with the system parameter `-Ddisable.configEdit=true`. This will disallow any changes to be made to configurations via the Config API. This is a key factor in this vulnerability, since it allows GET requests to add the RunExecutableListener to the config. This is sufficient to protect from this type of attack, but means you cannot use the edit capabilities of the Config API until further fixes are in place. intial report: http://lucene.472066.n3.nabble.com/Re-Several-critical-vulnerabilities-discovered-in-Apache-Solr-XXE-amp-RCE-td4358308.html response from Lucene, including mitigation and plan: http://lucene.472066.n3.nabble.com/Re-Several-critical-vulnerabilities-discovered-in-Apache-Solr-XXE-amp-RCE-tt4358355.html Created lucene tracking bugs for this issue: Affects: fedora-all [bug 1501838] Created lucene3 tracking bugs for this issue: Affects: fedora-all [bug 1501840] Created lucene4 tracking bugs for this issue: Affects: fedora-all [bug 1501841] Created solr3 tracking bugs for this issue: Affects: fedora-all [bug 1501839] Patch removing RunExecutableListener: https://github.com/apache/lucene-solr/commit/7b313bb597a6d1f78773dc9c00f484c078a46c25 Patch disallowing XXE: https://github.com/apache/lucene-solr/commit/926cc4d65b6d2cc40ff07f76d50ddeda947e3cc4 External References: https://access.redhat.com/security/vulnerabilities/CVE-2017-12629 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 security update Via RHSA-2017:3124 https://access.redhat.com/errata/RHSA-2017:3124 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2017:3123 https://access.redhat.com/errata/RHSA-2017:3123 This issue has been addressed in the following products: Red Hat JBoss Data Grid Via RHSA-2017:3244 https://access.redhat.com/errata/RHSA-2017:3244 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2017:3451 https://access.redhat.com/errata/RHSA-2017:3451 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2017:3452 https://access.redhat.com/errata/RHSA-2017:3452 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:0003 https://access.redhat.com/errata/RHSA-2018:0003 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2018:0002 https://access.redhat.com/errata/RHSA-2018:0002 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Via RHSA-2018:0004 https://access.redhat.com/errata/RHSA-2018:0004 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2018:0005 https://access.redhat.com/errata/RHSA-2018:0005 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:2561 https://access.redhat.com/errata/RHSA-2020:2561 Upstream JIRA: https://issues.apache.org/jira/browse/SOLR-11477 Upstream fix: https://github.com/apache/lucene-solr/commit/d8000beebfb13ba0b6e754f84c760e11592d8d14 The OCP ose-metering-presto container pulls in a version lucene without the upstream fix, due to its dependency on Elasticsearch: $ podman run -it --entrypoint /bin/bash --user root registry.redhat.io/openshift4/ose-metering-presto bash-4.2# find . -name *.jar | grep lucene ./lib/lucene-analyzers-common-7.2.1.jar ./plugin/presto-elasticsearch/lucene-queries-7.0.1.jar ./plugin/presto-elasticsearch/lucene-memory-7.0.1.jar ./plugin/presto-elasticsearch/lucene-spatial3d-7.0.1.jar ./plugin/presto-elasticsearch/lucene-suggest-7.0.1.jar ./plugin/presto-elasticsearch/lucene-join-7.0.1.jar ./plugin/presto-elasticsearch/lucene-highlighter-7.0.1.jar ./plugin/presto-elasticsearch/lucene-backward-codecs-7.0.1.jar ./plugin/presto-elasticsearch/lucene-spatial-7.0.1.jar ./plugin/presto-elasticsearch/lucene-analyzers-common-7.2.1.jar ./plugin/presto-elasticsearch/lucene-queryparser-7.0.1.jar ./plugin/presto-elasticsearch/lucene-grouping-7.0.1.jar ./plugin/presto-elasticsearch/lucene-core-7.0.1.jar ./plugin/presto-elasticsearch/lucene-misc-7.0.1.jar ./plugin/presto-elasticsearch/lucene-spatial-extras-7.0.1.jar ./plugin/presto-elasticsearch/lucene-sandbox-7.0.1.jar Similarly to Elasticsearch, the presto container is also not affected by this vulnerability. Statement: The following products are not affected by this flaw, as they do not use the vulnerable functionality of either aspect of the issue. Red Hat JBoss Enterprise Application Platform 6 Red Hat JBoss BPM Suite Red Hat JBoss BRMS Red Hat Enterprise Virtualization Manager Red Hat Single Sign-On 7 Red Hat JBoss Portal Platform 6 Red Hat JBoss Enterprise Application Platform 7 is not affected by this flaw. However, it does ship the vulnerable Lucene class in a dependency to another component. Customers who reuse the lucene-queryparser jar in their applications may be vulnerable to the External Entity Expansion aspect of this flaw. This will be patched in a forthcoming release. Red Hat JBoss Fuse is not affected by this flaw, as it does not use the vulnerable functionality of either aspect of this flaw. Fuse customers who may be running external Solr servers, while not affected from the Fuse side, are advised to secure their Solr servers as recommended in the mitigation provided. The following products ship only the Lucene components relevant to this flaw, and are not vulnerable to the second portion of the vulnerability, the code execution exploit. As such, the impact of this flaw has been determined to be Moderate for these respective products: Red Hat JBoss Data Grid 7 Red Hat Enterprise Linux 6 Red Hat Software Collections 2.4 This issue did not affect the versions of lucene as shipped with Red Hat Enterprise Linux 5. This issue does not affect Elasticsearch as shipped in OpenShift Container Platform. Downstream fixed version: https://maven.repository.redhat.com/ga/org/apache/lucene/lucene-queryparser/5.3.1.redhat-2/ This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2023:1334 https://access.redhat.com/errata/RHSA-2023:1334 |