Bug 1789509 (CVE-2019-17558) - CVE-2019-17558 solr: Remote Code Execution through the VelocityResponseWriter
Summary: CVE-2019-17558 solr: Remote Code Execution through the VelocityResponseWriter
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-17558
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1789510
Blocks: 1789511
TreeView+ depends on / blocked
 
Reported: 2020-01-09 18:05 UTC by Pedro Sampaio
Modified: 2020-01-17 18:36 UTC (History)
46 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-01-14 20:09:27 UTC


Attachments (Terms of Use)

Description Pedro Sampaio 2020-01-09 18:05:26 UTC
Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset `velocity/` directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting `params.resource.loader.enabled` by defining a response writer with that setting set to `true`. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is `trusted` (has been uploaded by an authenticated user).

Upstream issue:

https://issues.apache.org/jira/browse/SOLR-13971
https://issues.apache.org/jira/browse/SOLR-14025

Comment 1 Pedro Sampaio 2020-01-09 18:06:39 UTC
Created solr3 tracking bugs for this issue:

Affects: fedora-all [bug 1789510]

Comment 5 Product Security DevOps Team 2020-01-14 20:09:27 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-17558


Note You need to log in before you can comment on or make changes to this bug.