Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-14925

CVE-2020-13957: The checks added to unauthenticated configset uploads can be circumvented

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.6, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 7.0, 7.0.1, 7.1, 7.2, 7.2.1, 7.3, 7.3.1, 7.4, 7.5, 7.6, 7.7, 7.7.1, 7.7.2, 8.0, 8.1, 8.2, 7.7.3, 8.1.1, 8.3, 8.4, 8.3.1, 8.5, 8.4.1, 8.6, 8.5.1, 8.5.2, 8.6.1, 8.6.2
    • Fix Version/s: master (9.0), 8.7, 8.6.3
    • Component/s: None
    • Security Level: Public (Default Security Level. Issues are Public)
    • Labels:
      None

      Description

      Severity: High

      Vendor: The Apache Software Foundation

      Versions Affected:
      6.6.0 to 6.6.5
      7.0.0 to 7.7.3
      8.0.0 to 8.6.2

      Description:
      Solr prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.

      Mitigation:
      Any of the following are enough to prevent this vulnerability:

      • Disable UPLOAD command in ConfigSets API if not used by setting the system property: configset.upload.enabled to false [1]
      • Use Authentication/Authorization and make sure unknown requests aren't allowed [2]
      • Upgrade to Solr 8.6.3 or greater.
      • If upgrading is not an option, consider applying the patch in SOLR-14663 ([3])
      • No Solr API, including the Admin UI, is designed to be exposed to non-trusted parties. Tune your firewall so that only trusted computers and people are allowed access

      Credit:
      Tomás Fernández Löbbe, András Salamon

      References:
      [1] https://lucene.apache.org/solr/guide/8_6/configsets-api.html
      [2] https://lucene.apache.org/solr/guide/8_6/authentication-and-authorization-plugins.html
      [3] https://issues.apache.org/jira/browse/SOLR-14663
      [4] https://issues.apache.org/jira/browse/SOLR-14925
      [5] https://wiki.apache.org/solr/SolrSecurity

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                tflobbe Tomas Eduardo Fernandez Lobbe
                Reporter:
                tflobbe Tomas Eduardo Fernandez Lobbe
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: