Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-11184

Security vulnerability in delegation token functionality



    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.2, 6.3, 6.4, 6.4.1, 6.4.2, 6.5, 6.5.1, 6.6
    • Fix Version/s: 6.6.1, 7.0, 8.0
    • Component/s: security, SolrCloud
    • Labels:


      ---------- Forwarded message ----------
      From: Hrishikesh Gadre <gadre.solr@gmail.com>
      Date: Sat, Jul 22, 2017 at 3:59 AM
      Subject: Apache Solr - security vulnerability (delegation token functionality)
      To: security@apache.org


      We found a security vulnerability in the delegation token
      functionality in Solr. This feature was added in Solr in 6.2 release

      The delegation token functionality provided by Hadoop authentication
      uses Apache curator framework to store the security related metadata.
      Solr uses /security directory to store this information.

      There are two issues with this functionality (when using
      SecurityAwareZkACLProvider type of ACL provider e.g.

      The ACLs for /security znode are configured as (‘world’,’anyone’) even
      though the implementation of SecurityAwareZkACLProvider intends to
      restrict access only for the solr super user.

      The znodes under /security directory (e.g. /security/token) are
      configured just like any other configuration file (i.e. modifiable by
      solr admin and readable by world). SecurityAwareZkACLProvider on the
      other hand intends to restrict access only for the solr super user.

      The possible consequences of this vulnerability are severe. e.g.
      (a) a malicious user can read the security tokens in Zookeeper and
      gain access to the Solr cluster.
      (b) a malicious user can delete the security related metadata in
      Zookeeper and disrupt operations performed by authenticated users.
      This is possible since the (‘world’,’anyone’) permission on /security
      directory allows attacker to delete the child znodes under that path.

      Please find the attached patch which includes a unit test and the fix.
      Let me know if any additional information required from my side.



        1. zk_acl_fix.patch
          21 kB
          Shalin Shekhar Mangar
        2. zk_acl_fix_6x.patch
          19 kB
          Shalin Shekhar Mangar
        3. unit_test_fix.patch
          9 kB
          Shalin Shekhar Mangar



            • Assignee:
              shalin Shalin Shekhar Mangar
              shalin Shalin Shekhar Mangar
            • Votes:
              0 Vote for this issue
              3 Start watching this issue


              • Created: