2263577 – (CVE-2023-50291) CVE-2023-50291 solr: system property redaction logic inconsistency can lead to leaked passwords

Bug 2263577 (CVE-2023-50291) - CVE-2023-50291 solr: system property redaction logic inconsistency can lead to leaked passwords

Summary: CVE-2023-50291 solr: system property redaction logic inconsistency can lead t...

Keywords:
Status:	NEW
Alias:	CVE-2023-50291
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2263574
TreeView+	depends on / blocked

Reported:	2024-02-09 22:00 UTC by Robb Gatica
Modified:	2024-04-09 18:02 UTC (History)
CC List:	29 users (show)
Fixed In Version:	solr 9.3.0, solr 8.11.3
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Apache Solr. The /admin/info/properties endpoint, which publishes the Solr process' Java system properties, is only setup to hide system properties that have "password" contained in the name. There are a number of sensitive system properties, such as "basicauth" and "aws.secretKey", that do not contain "password"; therefore, their values can be published via the vulnerable endpoint. This endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Robb Gatica 2024-02-09 22:00:47 UTC

Insufficiently Protected Credentials vulnerability in Apache Solr.

This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0. One of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had "password" contained in the name.

There are a number of sensitive system properties, such as "basicauth" and "aws.secretKey" do not contain "password", thus their values were published via the "/admin/info/properties" endpoint. This endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.

This /admin/info/properties endpoint is protected under the "config-read" permission. Therefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the "config-read" permission. Users are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue. A single option now controls hiding Java system property for all endpoints, "-Dsolr.hiddenSysProps". By default all known sensitive properties are hidden (including "-Dbasicauth"), as well as any property with a name containing "secret" or "password".

Users who cannot upgrade can also use the following Java system property to fix the issue:
'-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*'

References:
http://www.openwall.com/lists/oss-security/2024/02/09/4
https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies

Note You need to log in before you can comment on or make changes to this bug.

aileenc
asoldano
bbaranow
bmaxwell
brian.stansberry
cdewolf
chazlett
cmiranda
darran.lofthouse
dkreling
dosoudil
fjuma
gmalinko
ivassile
iweiss
janstey
lgao
mosmerov
msochure
mstefank
msvehla
nwallace
pcongius
pdelbell
pjindal
pmackay
rstancel
smaestri
tom.jenkinson