Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-14025

CVE-2019-17558: Velocity response writer RCE vulnerability persists after 8.3.1

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • 8.3.1
    • 7.7.3, 8.4
    • contrib - Velocity
    • None

    Description

      Gézapeti from Cloudera kindly reported this to me:

      Hi Ishan! I’d like to raise (yet an other) issue with SOLR-13971 and the Velocity templates. I’m working at Cloudera on Solr and have taken the time to test out whether the fix in 8.3.1 is sufficient to mitigate the issue. The sad thing is: It’s possible to upload a properties file into ZK and add the resource loaders in that file. I think we should add yet-an-other option to make the init-from-property file functionality off by default.
      
      https://github.com/apache/lucene-solr/blob/master/solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java#L73 this property loads the file here https://github.com/apache/lucene-solr/blob/master/solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java#L141
      solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java:73
      <https://github.com/apache/lucene-solr|apache/lucene-solr>apache/lucene-solr | Added by GitHub
      solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java:141
      <https://github.com/apache/lucene-solr|apache/lucene-solr>apache/lucene-solr | Added by GitHub
      

      Seems like our mitigation wasn't good enough, there's another way to load resources.

      I've requested him to follow procedure here (https://cwiki.apache.org/confluence/display/solr/SolrSecurity). Meanwhile, I opened this JIRA anyway.

      Attachments

        1. SOLR-14025.patch
          34 kB
          Erik Hatcher
        2. SOLR-14025.patch
          34 kB
          Erik Hatcher
        3. SOLR-14025.patch
          28 kB
          Erik Hatcher
        4. SOLR-14025.patch
          23 kB
          Erik Hatcher
        5. SOLR-14025.patch
          20 kB
          Erik Hatcher

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            ehatcher Erik Hatcher
            ichattopadhyaya Ishan Chattopadhyaya
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment