Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-10624

Security Vulnerability in secure inter-node communication in Apache Solr

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 5.3, 5.5.4, 6.5, 6.5.1
    • Fix Version/s: 5.5.5, 6.6, 7.0
    • Component/s: security, SolrCloud
    • Security Level: Public (Default Security Level. Issues are Public)
    • Labels:
      None

      Description

      Solr uses a PKI based mechanism to secure inter-node communication
      when security is enabled. It is possible to fake it by cleverly
      constructing a node name that does not exist and pointing to the
      attackers machine. This means, the system is only as secure as an
      unprotected Solr while the user believes it is secure.

      who is affected?

      This feature was introduced in SOLR-7849 (Solr 5.3). So, every release
      after 5.3 is vulnerable if they use this feature. Systems using
      BasicAuth are affected and any custom authentication implementations
      using this feature may also be vulnerable. However, Kerberos users are
      unaffected.

      What is the fix?
      The fix includes checking if the node name is actually a member of the
      live_nodes set.

        Activity

        Hide
        shalinmangar Shalin Shekhar Mangar added a comment -

        Making the issue public since the fix has been released in 6.6 and the public announcement completed.

        Show
        shalinmangar Shalin Shekhar Mangar added a comment - Making the issue public since the fix has been released in 6.6 and the public announcement completed.
        Hide
        shalinmangar Shalin Shekhar Mangar added a comment -

        Yes, I'm waiting on Noble to review the announcement text. I've pinged him offline to get his attention.

        Show
        shalinmangar Shalin Shekhar Mangar added a comment - Yes, I'm waiting on Noble to review the announcement text. I've pinged him offline to get his attention.
        Hide
        janhoy Jan Høydahl added a comment -

        Then the next steps are to announce the fix and make this JIRA public?

        Show
        janhoy Jan Høydahl added a comment - Then the next steps are to announce the fix and make this JIRA public?
        Hide
        shalinmangar Shalin Shekhar Mangar added a comment -

        Yes, this is released in 6.6.0.

        I backported the commit to branch_5x and branch_5_5:
        branch_5x: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/9f91c619
        branch_5_5: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/2f5ecbcf

        Show
        shalinmangar Shalin Shekhar Mangar added a comment - Yes, this is released in 6.6.0. I backported the commit to branch_5x and branch_5_5: branch_5x: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/9f91c619 branch_5_5: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/2f5ecbcf
        Hide
        janhoy Jan Høydahl added a comment -

        Is this released in 6.6.0?

        Show
        janhoy Jan Høydahl added a comment - Is this released in 6.6.0?
        Hide
        shalinmangar Shalin Shekhar Mangar added a comment -

        This vulnerability is assigned CVE-2017-7660 by Mark Cox

        Show
        shalinmangar Shalin Shekhar Mangar added a comment - This vulnerability is assigned CVE-2017-7660 by Mark Cox
        Hide
        shalinmangar Shalin Shekhar Mangar added a comment -

        According to Noble, he has already committed and verified the fix to master and branch_6x before he reported the vulnerability without any indication in the git commit message that the commit relates to a security issue.

        master: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/e912b7cb
        branch_6x: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/e3b0cfff

        Show
        shalinmangar Shalin Shekhar Mangar added a comment - According to Noble, he has already committed and verified the fix to master and branch_6x before he reported the vulnerability without any indication in the git commit message that the commit relates to a security issue. master: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/e912b7cb branch_6x: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/e3b0cfff

          People

          • Assignee:
            noble.paul Noble Paul
            Reporter:
            shalinmangar Shalin Shekhar Mangar
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development