Details
-
Bug
-
Status: Resolved
-
Blocker
-
Resolution: Fixed
-
6.4
-
None
Description
Fra: Mark Thomas <markt@apache.org>
Emne: Fwd: Apache Solr - security vulnerability (path traversal attack)
Dato: 24. januar 2017 kl. 13.14.36 CET
Til: private@lucene.apache.org
Kopi: "security@apache.org" <security@apache.org>
Svar til: private@lucene.apache.org
Dear Apache Lucene PMC,
The security vulnerability report has been received by the Apache
Security Team and is being passed to you for action.
Please take careful note of the following:
- This information is private and should be treated accordingly. The
issue must not be discussed on a public mailing list, it must not be
added to a public bug tracker, etc. - The Lucene PMC is responsible for resolving this issue. The security
team is here to provide help and advice but the responsibility to do the
work lies with the Lucene PMC.
You may find the "ASF Project Security for Committers" [1] a useful
reference. This e-mail represents step three of that process. Step 4
should be completed asap.
Kind regards,
Mark
[1] http://www.apache.org/security/committers.html
-------- Forwarded Message --------
Subject: Apache Solr - security vulnerability (path traversal attack)
Date: Mon, 23 Jan 2017 11:27:19 -0800
From: Hrishikesh Gadre <gadre.solr@gmail.com>
To: security@apache.org
CC: Hrishikesh Gadre <gadre.solr@gmail.com>
Hi,
We found a path manipulation security vulnerability in Apache Solr after
running HPE Fortify static code analyzer on the Solr codebase.
Here is a brief description of this issue,
- Apache Solr provides a "replication" handler which supports operations
related to querying the state of an index as well as copying files
associated with the index.
https://cwiki.apache.org/confluence/display/solr/Index+Replication
<https://cwiki.apache.org/confluence/display/solr/Index+Replication>
This handler supports an HTTP API
(/replication?command=filecontent&file=<file_name>) which is vulnerable
to path traversal attack. Specifically, this API does not perform any
validation of the user specified file_name parameter. This can allow an
attacker to download any file readable to Solr server process even if
it is not related to the actual Solr index state.
https://www.owasp.org/index.php/Path_Traversal
I have verified this with the Solr version 6.3. But I believe this
vulnerability to be present for much longer (going back to v 4.10.x) . I
am currently working on the fix. Please let me know the process to
submit a patch for this.
Thanks
Hrishikesh