Bug 1707547 (CVE-2018-11802)

Summary: CVE-2018-11802 solr: Information disclosure via Rule-base Authorization plugin
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aileenc, bmaxwell, bmcclain, cdewolf, chazlett, csutherl, darran.lofthouse, dblechte, dfediuck, dosoudil, drieden, eedri, fgavrilo, gvarsami, janstey, jawilson, jcoleman, jochrist, jolee, jondruse, jschatte, jstastny, kconner, ldimaggi, lgao, mgoldboi, michal.skrivanek, nwallace, pgier, ppalaga, psakar, pslavice, puntogil, rnetuka, rstancel, rsvoboda, rwagner, sbonazzo, sherold, tcunning, tkirby, tom.jenkinson, twalsh, vhalbert, vtunka, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-27 13:07:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1707548    
Bug Blocks: 1707549    

Description Pedro Sampaio 2019-05-07 18:38:22 UTC 
In apache Solr the cluster can be partitioned into multiple
collections and only a subset of nodes actually host any given
collection. However, if a node receives a request for a collection it
does not host, it proxies the request to a relevant node and serves
the request. Solr bypasses all authorization settings for such
requests. This affects all Solr versions that uses the default
authorization mechanism of Solr (RuleBasedAuthorizationPlugin)

Upstream bug:

https://issues.apache.org/jira/browse/SOLR-12514

References:

https://www.openwall.com/lists/oss-security/2019/04/24/1
Comment 1 Pedro Sampaio 2019-05-07 18:38:36 UTC 
Created solr3 tracking bugs for this issue:

Affects: fedora-all [bug 1707548]
Comment 2 Joshua Padman 2019-05-15 23:07:03 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Fuse 6
 * Red Hat JBoss Fuse Service Works 6
 * Red Hat Enterprise Application Platform 6
 * Red Hat JBoss Data Virtualization & Services 6
 * Red Hat JBoss Data Grid 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 3 Joshua Padman 2019-08-12 01:03:41 UTC 
This vulnerability is out of security support scope for the following products:
 * JBoss Developer Studio 11

Please refer to https://access.redhat.com/node/4027141 for more details.
Comment 4 Joshua Padman 2019-08-27 11:55:12 UTC 
Statement:

Red Hat Fuse 7 includes camel-solr to allow interfacing with Apache Lucene Solr clusters. This is only a client interface and is not affected by this vulnerability.
Comment 5 Product Security DevOps Team 2019-08-27 13:07:18 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-11802