Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-14025

CVE-2019-17558: Velocity response writer RCE vulnerability persists after 8.3.1

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 8.3.1
    • Fix Version/s: 7.7.3, 8.4
    • Component/s: contrib - Velocity
    • Labels:
      None

      Description

      Gézapeti from Cloudera kindly reported this to me:

      Hi Ishan! I’d like to raise (yet an other) issue with SOLR-13971 and the Velocity templates. I’m working at Cloudera on Solr and have taken the time to test out whether the fix in 8.3.1 is sufficient to mitigate the issue. The sad thing is: It’s possible to upload a properties file into ZK and add the resource loaders in that file. I think we should add yet-an-other option to make the init-from-property file functionality off by default.
      
      https://github.com/apache/lucene-solr/blob/master/solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java#L73 this property loads the file here https://github.com/apache/lucene-solr/blob/master/solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java#L141
      solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java:73
      <https://github.com/apache/lucene-solr|apache/lucene-solr>apache/lucene-solr | Added by GitHub
      solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java:141
      <https://github.com/apache/lucene-solr|apache/lucene-solr>apache/lucene-solr | Added by GitHub
      

      Seems like our mitigation wasn't good enough, there's another way to load resources.

      I've requested him to follow procedure here (https://cwiki.apache.org/confluence/display/solr/SolrSecurity). Meanwhile, I opened this JIRA anyway.

        Attachments

        1. SOLR-14025.patch
          20 kB
          Erik Hatcher
        2. SOLR-14025.patch
          23 kB
          Erik Hatcher
        3. SOLR-14025.patch
          28 kB
          Erik Hatcher
        4. SOLR-14025.patch
          34 kB
          Erik Hatcher
        5. SOLR-14025.patch
          34 kB
          Erik Hatcher

          Issue Links

            Activity

              People

              • Assignee:
                ehatcher Erik Hatcher
                Reporter:
                ichattopadhyaya Ishan Chattopadhyaya
              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: