1035062 – (CVE-2013-6397) CVE-2013-6397 Apache Solr: directory traversal when loading XSL stylesheets and Velocity templates

Bug 1035062 (CVE-2013-6397) - CVE-2013-6397 Apache Solr: directory traversal when loading XSL stylesheets and Velocity templates

Summary: CVE-2013-6397 Apache Solr: directory traversal when loading XSL stylesheets a...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2013-6397
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1035988 1035989 1038297 1043748
Blocks:	991853 1035063
TreeView+	depends on / blocked

Reported:	2013-11-27 01:08 UTC by David Jorm
Modified:	2021-02-17 07:08 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-01-15 18:24:04 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:1844	0	normal	SHIPPED_LIVE	Important: Red Hat JBoss Web Framework Kit 2.4.0 update	2013-12-16 23:21:40 UTC
Red Hat Product Errata	RHSA-2014:0029	0	normal	SHIPPED_LIVE	Important: Red Hat JBoss Data Grid 6.2.0 update	2014-01-15 22:45:50 UTC

Description David Jorm 2013-11-27 01:08:12 UTC

It was found that the SolrResourceLoader class in Apache Solr allowed loading of resources via absolute paths, or relative paths which were not sanitized for directory traversal. Some Solr components expose REST interfaces which load resources (XSL stylesheets and Velocity templates) via SolrResourceLoader, using paths identified by REST parameters. A remote attacker could use this flaw to load arbitrary local files on the server via SolrResourceLoader, potentially resulting in information disclosure or remote code execution.

Comment 1 David Jorm 2013-11-28 23:04:24 UTC

External References:

http://www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html

Comment 2 David Jorm 2013-11-29 01:31:13 UTC

Upstream Bugs:

https://issues.apache.org/jira/browse/SOLR-4882
https://issues.apache.org/jira/browse/SOLR-5520

Upstream Patches:

https://issues.apache.org/jira/secure/attachment/12604396/SOLR-4882.patch
https://issues.apache.org/jira/secure/attachment/12618097/CVE-fixes-Solr36.patch

Comment 10 errata-xmlrpc 2013-12-16 18:23:16 UTC

This issue has been addressed in following products:

  Red Hat JBoss Web Framework Kit 2.4.0

Via RHSA-2013:1844 https://rhn.redhat.com/errata/RHSA-2013-1844.html

Comment 11 errata-xmlrpc 2014-01-15 17:46:48 UTC

This issue has been addressed in following products:

  Red Hat JBoss Data Grid 6.2.0

Via RHSA-2014:0029 https://rhn.redhat.com/errata/RHSA-2014-0029.html

Note You need to log in before you can comment on or make changes to this bug.