Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-17418

ConfigSets created during a backup Restore command are trusted implicitly

Log workAgile BoardRank to TopRank to BottomAttach filesAttach ScreenshotBulk Copy AttachmentsBulk Move AttachmentsVotersWatch issueWatchersCreate sub-taskConvert to sub-taskLinkCloneLabelsUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • None
    • 8.11.3, 9.7
    • Backup/Restore
    • None

    Description

      ConfigSets that are created via a Restore command, which basically copy a configSet from the backup and give it a new name, are created without setting the "trusted" metadata. And configSets that do not contain the flag are trusted implicitly if the metadata is missing.

      This can lead to an RCE if a user constructs their configSet cleverly.

      This is the copied from liuhuajin's security report reproducing instructions:

      The following four API need to be known for this vulnerability:

      1.Upload API : http://127.0.0.1:8983/solr/admin/configs?action=UPLOAD&name=conf1

      2.Create Collection API http://127.0.0.1:8983/solr/admin/collections?action=CREATE&name=conf4&numShards=1&replicationFactor=1&wt=json&collection.configName=conf4

      3.BACKUP API: http://127.0.0.1:8983/solr/admin/collections?action=BACKUP&collection=conf4&location=solrhome&name=conf4

      4.RESTORE Backup API: http://127.0.0.1:8983/solr/admin/collections?action=RESTORE&collection=fy3&location=solrhome\server\solr\conf4\conf4\zk_backup_0\configs&name= conf4&collection.configName=noExist
      Step one:

      I uploaded the malicious zip via the first API. The malicious zip contains a normal configuration set and backed up data.

      The key files are as follows:

      /solrconfig.xml --(Normal solrconfig.xml)

      /conf4/zk_backup_0/configs/conf4/solrconfig.xml (malicious solrconfig.xml)

      Attachments

        1. SOLR-17418-3.patch
          41 kB
          Houston Putman
        2. SOLR-17418-2.patch
          42 kB
          Houston Putman
        3. SOLR-17418-1.patch
          58 kB
          Houston Putman
        4. SOLR-17418.patch
          27 kB
          Houston Putman

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            houston Houston Putman Assign to me
            houston Houston Putman
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment