Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-11184

Security vulnerability in delegation token functionality

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.2, 6.3, 6.4, 6.4.1, 6.4.2, 6.5, 6.5.1, 6.6
    • Fix Version/s: 6.6.1, 7.0, master (8.0)
    • Component/s: security, SolrCloud
    • Security Level: Public (Default Security Level. Issues are Public)
    • Labels:
      None

      Description

      ---------- Forwarded message ----------
      From: Hrishikesh Gadre <gadre.solr@gmail.com>
      Date: Sat, Jul 22, 2017 at 3:59 AM
      Subject: Apache Solr - security vulnerability (delegation token functionality)
      To: security@apache.org

      Hi,

      We found a security vulnerability in the delegation token
      functionality in Solr. This feature was added in Solr in 6.2 release
      (SOLR-9200).

      The delegation token functionality provided by Hadoop authentication
      uses Apache curator framework to store the security related metadata.
      Solr uses /security directory to store this information.

      There are two issues with this functionality (when using
      SecurityAwareZkACLProvider type of ACL provider e.g.
      SaslZkACLProvider),

      The ACLs for /security znode are configured as (‘world’,’anyone’) even
      though the implementation of SecurityAwareZkACLProvider intends to
      restrict access only for the solr super user.

      The znodes under /security directory (e.g. /security/token) are
      configured just like any other configuration file (i.e. modifiable by
      solr admin and readable by world). SecurityAwareZkACLProvider on the
      other hand intends to restrict access only for the solr super user.

      The possible consequences of this vulnerability are severe. e.g.
      (a) a malicious user can read the security tokens in Zookeeper and
      gain access to the Solr cluster.
      (b) a malicious user can delete the security related metadata in
      Zookeeper and disrupt operations performed by authenticated users.
      This is possible since the (‘world’,’anyone’) permission on /security
      directory allows attacker to delete the child znodes under that path.

      Please find the attached patch which includes a unit test and the fix.
      Let me know if any additional information required from my side.

      Thanks
      Hrishikesh

        Attachments

        1. unit_test_fix.patch
          9 kB
          Shalin Shekhar Mangar
        2. zk_acl_fix_6x.patch
          19 kB
          Shalin Shekhar Mangar
        3. zk_acl_fix.patch
          21 kB
          Shalin Shekhar Mangar

          Activity

            People

            • Assignee:
              shalinmangar Shalin Shekhar Mangar
              Reporter:
              shalinmangar Shalin Shekhar Mangar
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: