---------- Forwarded message ----------
From: Hrishikesh Gadre <firstname.lastname@example.org>
Date: Sat, Jul 22, 2017 at 3:59 AM
Subject: Apache Solr - security vulnerability (delegation token functionality)
We found a security vulnerability in the delegation token
functionality in Solr. This feature was added in Solr in 6.2 release
The delegation token functionality provided by Hadoop authentication
uses Apache curator framework to store the security related metadata.
Solr uses /security directory to store this information.
There are two issues with this functionality (when using
SecurityAwareZkACLProvider type of ACL provider e.g.
The ACLs for /security znode are configured as (‘world’,’anyone’) even
though the implementation of SecurityAwareZkACLProvider intends to
restrict access only for the solr super user.
The znodes under /security directory (e.g. /security/token) are
configured just like any other configuration file (i.e. modifiable by
solr admin and readable by world). SecurityAwareZkACLProvider on the
other hand intends to restrict access only for the solr super user.
The possible consequences of this vulnerability are severe. e.g.
(a) a malicious user can read the security tokens in Zookeeper and
gain access to the Solr cluster.
(b) a malicious user can delete the security related metadata in
Zookeeper and disrupt operations performed by authenticated users.
This is possible since the (‘world’,’anyone’) permission on /security
directory allows attacker to delete the child znodes under that path.
Please find the attached patch which includes a unit test and the fix.
Let me know if any additional information required from my side.