Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-11184

Security vulnerability in delegation token functionality

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.2, 6.3, 6.4, 6.4.1, 6.4.2, 6.5, 6.5.1, 6.6
    • Fix Version/s: 6.6.1, 7.0, master (8.0)
    • Component/s: security, SolrCloud
    • Security Level: Public (Default Security Level. Issues are Public)
    • Labels:
      None

      Description

      ---------- Forwarded message ----------
      From: Hrishikesh Gadre <gadre.solr@gmail.com>
      Date: Sat, Jul 22, 2017 at 3:59 AM
      Subject: Apache Solr - security vulnerability (delegation token functionality)
      To: security@apache.org

      Hi,

      We found a security vulnerability in the delegation token
      functionality in Solr. This feature was added in Solr in 6.2 release
      (SOLR-9200).

      The delegation token functionality provided by Hadoop authentication
      uses Apache curator framework to store the security related metadata.
      Solr uses /security directory to store this information.

      There are two issues with this functionality (when using
      SecurityAwareZkACLProvider type of ACL provider e.g.
      SaslZkACLProvider),

      The ACLs for /security znode are configured as (‘world’,’anyone’) even
      though the implementation of SecurityAwareZkACLProvider intends to
      restrict access only for the solr super user.

      The znodes under /security directory (e.g. /security/token) are
      configured just like any other configuration file (i.e. modifiable by
      solr admin and readable by world). SecurityAwareZkACLProvider on the
      other hand intends to restrict access only for the solr super user.

      The possible consequences of this vulnerability are severe. e.g.
      (a) a malicious user can read the security tokens in Zookeeper and
      gain access to the Solr cluster.
      (b) a malicious user can delete the security related metadata in
      Zookeeper and disrupt operations performed by authenticated users.
      This is possible since the (‘world’,’anyone’) permission on /security
      directory allows attacker to delete the child znodes under that path.

      Please find the attached patch which includes a unit test and the fix.
      Let me know if any additional information required from my side.

      Thanks
      Hrishikesh

      1. zk_acl_fix.patch
        21 kB
        Shalin Shekhar Mangar
      2. zk_acl_fix_6x.patch
        19 kB
        Shalin Shekhar Mangar
      3. unit_test_fix.patch
        9 kB
        Shalin Shekhar Mangar

        Activity

        Hide
        koji Koji Sekiguchi added a comment -

        Shalin Shekhar Mangar Thank you very much for your work on this issue! Can we make this issue public because the fix has been released in 6.6.1 and the public announcement completed, same as you've done in SOLR-10624? Someone mentioned to me that he couldn't see this issue though the URL of this issue is announced in Solr news site...

        Show
        koji Koji Sekiguchi added a comment - Shalin Shekhar Mangar Thank you very much for your work on this issue! Can we make this issue public because the fix has been released in 6.6.1 and the public announcement completed, same as you've done in SOLR-10624 ? Someone mentioned to me that he couldn't see this issue though the URL of this issue is announced in Solr news site...
        Hide
        varunthacker Varun Thacker added a comment -

        +1 to make the announcement

        Show
        varunthacker Varun Thacker added a comment - +1 to make the announcement
        Hide
        shalinmangar Shalin Shekhar Mangar added a comment -

        Draft security announcement:

        CVE-2017-9803: Security vulnerability in kerberos delegation token functionality
        
        Severity: Important
        
        Vendor:
        The Apache Software Foundation
        
        Versions Affected:
        Solr 6.2.0 to 6.6.0
        
        Description:
        
        Solr's Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an end-user or another application.
        There are two issues with this functionality (when using SecurityAwareZkACLProvider type of ACL provider e.g. SaslZkACLProvider),
        
        Firstly, access to the security configuration can be leaked to users other than the solr super user. Secondly, malicious users can exploit this leaked configuration for privilege escalation to further expose/modify private data and/or disrupt operations in the Solr cluster.
        
        The vulnerability is fixed from Solr 6.6.1 onwards.
        
        Mitigation:
        6.x users should upgrade to 6.6.1
        
        Credit:
        This issue was discovered by Hrishikesh Gadre of Cloudera Inc.
        
        References:
        https://issues.apache.org/jira/browse/SOLR-11184
        https://wiki.apache.org/solr/SolrSecurity
        
        Show
        shalinmangar Shalin Shekhar Mangar added a comment - Draft security announcement: CVE-2017-9803: Security vulnerability in kerberos delegation token functionality Severity: Important Vendor: The Apache Software Foundation Versions Affected: Solr 6.2.0 to 6.6.0 Description: Solr's Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an end-user or another application. There are two issues with this functionality (when using SecurityAwareZkACLProvider type of ACL provider e.g. SaslZkACLProvider), Firstly, access to the security configuration can be leaked to users other than the solr super user. Secondly, malicious users can exploit this leaked configuration for privilege escalation to further expose/modify private data and/or disrupt operations in the Solr cluster. The vulnerability is fixed from Solr 6.6.1 onwards. Mitigation: 6.x users should upgrade to 6.6.1 Credit: This issue was discovered by Hrishikesh Gadre of Cloudera Inc. References: https: //issues.apache.org/jira/browse/SOLR-11184 https: //wiki.apache.org/solr/SolrSecurity
        Hide
        varunthacker Varun Thacker added a comment -

        Resolving this issue. We still need to make the announcement.

        Show
        varunthacker Varun Thacker added a comment - Resolving this issue. We still need to make the announcement.
        Hide
        shalinmangar Shalin Shekhar Mangar added a comment -

        Updated to include 6.6.1 as fix version.

        Show
        shalinmangar Shalin Shekhar Mangar added a comment - Updated to include 6.6.1 as fix version.
        Show
        shalinmangar Shalin Shekhar Mangar added a comment - Following commits on the 6.x line. branch_6x: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/065edbc5 branch_6_6: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/4704efb1
        Hide
        shalinmangar Shalin Shekhar Mangar added a comment -

        Patch by Hrishikesh Gadre to fix the unit test included in the original patch. This has already been applied but I had forgotten to attach it here.

        Show
        shalinmangar Shalin Shekhar Mangar added a comment - Patch by Hrishikesh Gadre to fix the unit test included in the original patch. This has already been applied but I had forgotten to attach it here.
        Hide
        shalinmangar Shalin Shekhar Mangar added a comment -

        Patch by Hrishikesh Gadre for branch_6x.

        Show
        shalinmangar Shalin Shekhar Mangar added a comment - Patch by Hrishikesh Gadre for branch_6x.
        Show
        shalinmangar Shalin Shekhar Mangar added a comment - Committed. Master: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/b091934f branch_7x: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/aae78433 branch_7_0: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/b0faa3b6
        Hide
        shalinmangar Shalin Shekhar Mangar added a comment -

        The CVE assigned to this vulnerability is CVE-2017-9803

        Show
        shalinmangar Shalin Shekhar Mangar added a comment - The CVE assigned to this vulnerability is CVE-2017-9803
        Hide
        shalinmangar Shalin Shekhar Mangar added a comment -

        Fix provided by Hrishikesh Gadre who is also the reporter of the vulnerability.

        Show
        shalinmangar Shalin Shekhar Mangar added a comment - Fix provided by Hrishikesh Gadre who is also the reporter of the vulnerability.

          People

          • Assignee:
            shalinmangar Shalin Shekhar Mangar
            Reporter:
            shalinmangar Shalin Shekhar Mangar
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development