Details
-
Bug
-
Status: Closed
-
Blocker
-
Resolution: Fixed
-
8.3.1
-
None
Description
Gézapeti from Cloudera kindly reported this to me:
Hi Ishan! I’d like to raise (yet an other) issue with SOLR-13971 and the Velocity templates. I’m working at Cloudera on Solr and have taken the time to test out whether the fix in 8.3.1 is sufficient to mitigate the issue. The sad thing is: It’s possible to upload a properties file into ZK and add the resource loaders in that file. I think we should add yet-an-other option to make the init-from-property file functionality off by default. https://github.com/apache/lucene-solr/blob/master/solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java#L73 this property loads the file here https://github.com/apache/lucene-solr/blob/master/solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java#L141 solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java:73 <https://github.com/apache/lucene-solr|apache/lucene-solr>apache/lucene-solr | Added by GitHub solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java:141 <https://github.com/apache/lucene-solr|apache/lucene-solr>apache/lucene-solr | Added by GitHub
Seems like our mitigation wasn't good enough, there's another way to load resources.
I've requested him to follow procedure here (https://cwiki.apache.org/confluence/display/solr/SolrSecurity). Meanwhile, I opened this JIRA anyway.
Attachments
Attachments
Issue Links
- relates to
-
SOLR-13971 Velocity custom template RCE vulnerability
- Closed