2263579 – (CVE-2023-50292) CVE-2023-50292 Apache Solr: Schema Designer trusts all configsets, possibly leading to RCE by unauthenticated users

Bug 2263579 (CVE-2023-50292) - CVE-2023-50292 Apache Solr: Schema Designer trusts all configsets, possibly leading to RCE by unauthenticated users

Summary: CVE-2023-50292 Apache Solr: Schema Designer trusts all configsets, possibly l...

Keywords:
Status:	NEW
Alias:	CVE-2023-50292
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2263574
TreeView+	depends on / blocked

Reported:	2024-02-09 22:06 UTC by Robb Gatica
Modified:	2024-04-09 18:25 UTC (History)
CC List:	29 users (show)
Fixed In Version:	solr 9.3.0
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Apache Solr. The Schema Designer was introduced to allow users to more easily configure and test new Schemas and configSets. However, it may load untrusted configSets, which can allow an unauthenticated user to load external libraries when used in the Schema Designer. This issue may allow an attacker to perform remote code execution on the affected system.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Robb Gatica 2024-02-09 22:06:53 UTC

Incorrect Permission Assignment for Critical Resource, Improper Control of Dynamically-Managed Code Resources vulnerability in Apache Solr.

This issue affects Apache Solr: from 8.10.0 through 8.11.2, from 9.0.0 before 9.3.0.

The Schema Designer was introduced to allow users to more easily configure and test new Schemas and configSets. However, when the feature was created, the "trust" (authentication) of these configSets was not considered. External library loading is only available to configSets that are "trusted" (created by authenticated users), thus non-authenticated users are unable to perform Remote Code Execution. Since the Schema Designer loaded configSets without taking their "trust" into account, configSets that were created by unauthenticated users were allowed to load external libraries when used in the Schema Designer.

Users are recommended to upgrade to version 9.3.0, which fixes the issue.

References:
http://www.openwall.com/lists/oss-security/2024/02/09/3
https://solr.apache.org/security.html#cve-2023-50298-apache-solr-can-expose-zookeeper-credentials-via-streaming-expressions

Note You need to log in before you can comment on or make changes to this bug.

aileenc
asoldano
bbaranow
bmaxwell
brian.stansberry
cdewolf
chazlett
cmiranda
darran.lofthouse
dkreling
dosoudil
fjuma
gmalinko
ivassile
iweiss
janstey
lgao
mosmerov
msochure
mstefank
msvehla
nwallace
pcongius
pdelbell
pjindal
pmackay
rstancel
smaestri
tom.jenkinson