Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-13971

Velocity custom template RCE vulnerability

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 5.0, 5.5.5, 6.0, 6.6.5, 7.0, 7.7, 8.0, 8.3
    • Fix Version/s: 7.7.3, 8.4
    • Component/s: None
    • Labels:
      None

      Description

      We need to disable this. There is a zero day attack in the wild. 41 stars on this github project:

      1. https://github.com/jas502n/solr_rce
      2. https://gist.github.com/s00py/a1ba36a3689fa13759ff910e179fc133

      We need to disable this in a way that cannot be re-enabled using the Config API.

        Attachments

        1. SOLR-13971.patch
          11 kB
          Ishan Chattopadhyaya

          Issue Links

            Activity

              People

              • Assignee:
                ichattopadhyaya Ishan Chattopadhyaya
                Reporter:
                ichattopadhyaya Ishan Chattopadhyaya
              • Votes:
                0 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h 20m
                  1h 20m