Bug 1869167 (CVE-2020-13941)

Summary: CVE-2020-13941 solr: replication handler allows a read-write operations to any location the solr user can access
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aboyko, aileenc, asoldano, atangrin, bbaranow, bibryam, bmaxwell, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dkreling, dosoudil, drieden, eleandro, extras-orphan, ganandan, ggaughan, gmalinko, gvarsami, iweiss, janstey, jawilson, jcoleman, jochrist, jolee, jperkins, jschatte, jstastny, jwon, kconner, krathod, kwills, ldimaggi, lgao, msochure, msvehla, nwallace, pantinor, pjindal, pmackay, psotirop, puntogil, rguimara, rstancel, rsvoboda, rwagner, smaestri, tcunning, tkirby, tom.jenkinson, vhalbert
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Solr 8.6.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Solr. The Replication handler allows commands backup, restore, and delete backup that take non-validated allocation parameters which may result in the exfiltration of sensitive data such as OS user hashes (NTLM/LMhashes). The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-18 21:15:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1869168    
Bug Blocks: 1869172    

Description Marian Rehak 2020-08-17 07:07:42 UTC 
In Solr version 8.6.0, the Replication handler allows commands backup, restore and deleteBackup that takeunvalidated alocation parameter, i.e you could read/write to any location the solr user can access. Launching SMB attacks which may result in the exfiltration of sensitive data such as OS user hashes (NTLM/LMhashes). In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution.

Reference:

https://www.openwall.com/lists/oss-security/2020/08/15/1
Comment 1 Marian Rehak 2020-08-17 07:08:13 UTC 
Created solr3 tracking bugs for this issue:

Affects: fedora-31 [bug 1869168]
Comment 8 Chess Hazlett 2020-08-18 17:39:54 UTC 
External References:

https://www.openwall.com/lists/oss-security/2020/08/15/1
https://issues.apache.org/jira/browse/SOLR-14561
https://lucene.apache.org/solr/guide/8_6/index-replication.html#http-api-commands-for-the-replicationhandler
https://github.com/apache/lucene-solr/commit/936b9d770e769c9018a9f408d576f52e7c4e8be2
Comment 9 Product Security DevOps Team 2020-08-18 21:15:35 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-13941
Comment 10 Eric Christensen 2020-08-24 15:41:22 UTC 
Statement:

Red Hat JBoss Fuse 6, Red Hat Fuse 7, and Red Hat Integration Camel K using camel-solr are not directly affected by this vulnerability as the camel-solr component uses the client library solr-j and the vulnerability lies in the solr server itself. We advise customers using solr to investigate the usage of the server and ensure it is safe.