Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 1501529 - (CVE-2017-12629) CVE-2017-12629 Solr: Code execution via entity expansion
CVE-2017-12629 Solr: Code execution via entity expansion
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
impact=critical,public=20171012,repor...
: Security
Depends On: 1501839 1501840 1501838 1501841 1504621 1504622 1504624 1504625 1525800
Blocks: 1501395 1501772 1507638 1509818 1527613
  Show dependency treegraph
 
Reported: 2017-10-12 15:11 EDT by Chess Hazlett
Modified: 2018-02-12 03:51 EST (History)
79 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was found that Apache Lucene would accept an object from an unauthenticated user that could be manipulated through subsequent post requests. An attacker could use this flaw to assemble an object that could permit execution of arbitrary code if the server enabled Apache Solr's Config API.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-12-13 04:40:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3123 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform security update 2017-11-06 19:17:54 EST
Red Hat Product Errata RHSA-2017:3124 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 7.0 security update 2017-11-06 19:19:02 EST
Red Hat Product Errata RHSA-2017:3244 normal SHIPPED_LIVE Important: Red Hat JBoss Data Grid 7.1.1 security update 2017-11-16 19:52:09 EST
Red Hat Product Errata RHSA-2017:3451 normal SHIPPED_LIVE Moderate: rh-java-common-lucene security update 2017-12-12 17:40:20 EST
Red Hat Product Errata RHSA-2017:3452 normal SHIPPED_LIVE Moderate: rh-java-common-lucene5 security update 2017-12-12 17:47:02 EST
Red Hat Product Errata RHSA-2018:0002 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.0.9 security update on RHEL 6 2018-01-03 10:30:20 EST
Red Hat Product Errata RHSA-2018:0003 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.0.9 security update 2018-01-03 10:20:33 EST
Red Hat Product Errata RHSA-2018:0004 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.0.9 security update on RHEL 7 2018-01-03 10:31:14 EST
Red Hat Product Errata RHSA-2018:0005 normal SHIPPED_LIVE Important: eap7-jboss-ec2-eap security update 2018-01-03 10:49:39 EST

  None (edit)
Description Chess Hazlett 2017-10-12 15:11:42 EDT
It was found that Apache Solr would accept an object from an unauthenticated user that could be manipulated through subsequent post requests. An attacker could use this flaw to assemble an object that could permit execution of arbitrary code on the server.
Comment 1 Kurt Seifried 2017-10-12 15:20:01 EDT
Satellite 6.2 and later do not ship lucene so are not vulnerable to this. Satellite 6.0 and 6.1 ship lucene v.4 which is not vulnerable to this issue.
SAM 1.x ships an old version of lucene (v.3) that is not vulnerable to this issue, additionally the affected class does not appear to be used.
Comment 4 Chess Hazlett 2017-10-12 16:12:34 EDT
Mitigation:

Until fixes are available, all Solr users are advised to restart their Solr instances with the system parameter `-Ddisable.configEdit=true`. This will disallow any changes to be made to configurations via the Config API. This is a key factor in this vulnerability, since it allows GET requests to add the RunExecutableListener to the config.

This is sufficient to protect from this type of attack, but means you cannot use the edit capabilities of the Config API until further fixes are in place.
Comment 9 Andrej Nemec 2017-10-13 06:17:06 EDT
Created lucene tracking bugs for this issue:

Affects: fedora-all [bug 1501838]


Created lucene3 tracking bugs for this issue:

Affects: fedora-all [bug 1501840]


Created lucene4 tracking bugs for this issue:

Affects: fedora-all [bug 1501841]


Created solr3 tracking bugs for this issue:

Affects: fedora-all [bug 1501839]
Comment 18 Chess Hazlett 2017-10-16 12:06:26 EDT
Statement:

The following products are not affected by this flaw, as they do not use the vulnerable functionality of either aspect of the issue.
Red Hat JBoss Enterprise Application Platform 6
Red Hat JBoss BPM Suite
Red Hat JBoss BRMS
Red Hat Enterprise Virtualization Manager
Red Hat Single Sign-On 7
Red Hat JBoss Portal Platform 6

Red Hat JBoss Enterprise Application Platform 7 is not affected by this flaw. However, it does ship the vulnerable Lucene class in a dependency to another component. Customers who reuse the lucene-queryparser jar in their applications may be vulnerable to the External Entity Expansion aspect of this flaw. This will be patched in a forthcoming release.

Red Hat JBoss Fuse is not affected by this flaw, as it does not use the vulnerable functionality of either aspect of this flaw. Fuse customers who may be running external Solr servers, while not affected from the Fuse side, are advised to secure their Solr servers as recommended in the mitigation provided.

The following products ship only the Lucene components relevant to this flaw, and are not vulnerable to the second portion of the vulnerability, the code execution exploit. As such, the impact of this flaw has been determined to be Moderate for these respective products:
Red Hat JBoss Data Grid 7 
Red Hat Enterprise Linux 6
Red Hat Software Collections 2.4

This issue did not affect the versions of lucene as shipped with Red Hat Enterprise Linux 5.
Comment 27 Chess Hazlett 2017-10-20 11:34:44 EDT
External References:

https://access.redhat.com/security/vulnerabilities/CVE-2017-12629
Comment 29 errata-xmlrpc 2017-11-06 12:46:02 EST
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 security update

Via RHSA-2017:3124 https://access.redhat.com/errata/RHSA-2017:3124
Comment 30 errata-xmlrpc 2017-11-06 12:58:16 EST
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2017:3123 https://access.redhat.com/errata/RHSA-2017:3123
Comment 33 errata-xmlrpc 2017-11-16 14:53:09 EST
This issue has been addressed in the following products:

  Red Hat JBoss Data Grid

Via RHSA-2017:3244 https://access.redhat.com/errata/RHSA-2017:3244
Comment 34 errata-xmlrpc 2017-12-12 12:43:51 EST
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2017:3451 https://access.redhat.com/errata/RHSA-2017:3451
Comment 35 errata-xmlrpc 2017-12-12 12:48:07 EST
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2017:3452 https://access.redhat.com/errata/RHSA-2017:3452
Comment 37 errata-xmlrpc 2018-01-03 05:22:29 EST
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:0003 https://access.redhat.com/errata/RHSA-2018:0003
Comment 38 errata-xmlrpc 2018-01-03 05:33:57 EST
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2018:0002 https://access.redhat.com/errata/RHSA-2018:0002
Comment 39 errata-xmlrpc 2018-01-03 05:36:13 EST
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7

Via RHSA-2018:0004 https://access.redhat.com/errata/RHSA-2018:0004
Comment 40 errata-xmlrpc 2018-01-03 05:53:13 EST
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2018:0005 https://access.redhat.com/errata/RHSA-2018:0005

Note You need to log in before you can comment on or make changes to this bug.