[SOLR-13669] [CVE-2019-0193] Remote Code Execution via DataImportHandler - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 7.7.3, 8.1.2, 8.2
Component/s: contrib - DataImportHandler
Labels:
None

Description

The DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.

Mitigations:

Upgrade to 8.2.0 or later, which is secure by default.
or, edit solrconfig.xml to configure all DataImportHandler usages with an "invariants" section listing the "dataConfig" parameter set to am empty string.
Ensure your network settings are configured so that only trusted traffic communicates with Solr, especially to the DIH request handler. This is a best practice to all of Solr.

Credits:

Michael Stepankin

References:

Attachments

Issue Links

relates to

SOLR-13873 Is there any fix for CVE-2019-0193 issue for solr 7.7.1

Resolved

links to

GitHub Pull Request #1260

Activity

People

Assignee:: David Smiley

Reporter:: Michael Stepankin

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 31/Jul/19 22:05

Updated:: 29/Nov/20 06:01

Resolved:: 30/Nov/19 05:03

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

1h 10m