Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-11482

CVE-2017-12629: Remove RunExecutableListener from Solr

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Task
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • None
    • 5.5.5, 6.6.2, 7.1, 7.2, 8.0
    • security, Server
    • None

    Description

      This class should no longer be needed, as replication can be done through Solr Cloud or via ReplicationHandler. The current listener is a security risk, as it can be configured through the Config API. See the report:

      Solr "RunExecutableListener" class can be used to execute arbitrary commands on specific events, for example after each update query. The problem is that such listener can be enabled with any parameters just by using Config API with add-listener command.

      POST /solr/newcollection/config HTTP/1.1
      Host: localhost:8983
      Connection: close
      Content-Type: application/json  
      Content-Length: 198
      
      {
        "add-listener" : {
          "event":"postCommit",
          "name":"newlistener",
          "class":"solr.RunExecutableListener",
          "exe":"ANYCOMMAND",
          "dir":"/usr/bin/",
          "args":["ANYARGS"]
        }
      }
      

      Parameters "exe", "args" and "dir" can be crafted throught the HTTP request during modification of the collection's config. This means that anybody who can send a HTTP request to Solr API is able to execute arbitrary shell commands when "postCommit" event is fired. It leads to execution of arbitrary remote code for a remote attacker.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            uschindler Uwe Schindler
            uschindler Uwe Schindler
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Issue deployment