Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-16777

Schema Designer blindly "trusts" potentially malicious configset

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • 9.0, 8.10, 8.11.2, 9.1, 9.2, 9.1.1
    • 8.11.3, 9.3
    • None
    • None

    Description

      When configset API is used to upload configsets by unauthenticated users, a "trusted: false" flag is set on the configset. Such configsets cannot use the <lib> directive to load classes while creating/loading collections. Details here: https://solr.apache.org/guide/8_10/configsets-api.html#configsets-upload

      Unfortunately, this safety mechanism was bypassed in the schema designer when a isConfigsetTrusted was hardcoded to true. https://github.com/apache/solr/blob/branch_9_1/solr/core/src/java/org/apache/solr/handler/designer/SchemaDesignerConfigSetHelper.java#L697

       

      As per Skay's report https://twitter.com/Skay_00/status/1646870062601756672 remote code execution is possible in unsecured Solr clusters where authentication hasn't been enabled. This ticket is to mitigate one aspect of that, i.e. the schema designer vulnerability. While our recommendation to all users remains the same, i.e. to secure Solr installations with authentication and authorization, I thank Skay for his detailed report.

      Attachments

        1. Screenshot_20230503_165913.jpg
          449 kB
          Ishan Chattopadhyaya
        2. Screenshot_20230503_181534.jpg
          387 kB
          Ishan Chattopadhyaya
        3. SOLR-16777.patch
          0.8 kB
          Ishan Chattopadhyaya
        4. SOLR-16777-1.patch
          13 kB
          Houston Putman
        5. SOLR-16777-2.patch
          18 kB
          Houston Putman

        Issue Links

          Activity

            People

              ichattopadhyaya Ishan Chattopadhyaya
              ichattopadhyaya Ishan Chattopadhyaya
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 0.5h
                  0.5h