Details
-
Bug
-
Status: Closed
-
Blocker
-
Resolution: Fixed
-
None
-
None
Description
ConfigSets that are created via a Restore command, which basically copy a configSet from the backup and give it a new name, are created without setting the "trusted" metadata. And configSets that do not contain the flag are trusted implicitly if the metadata is missing.
This can lead to an RCE if a user constructs their configSet cleverly.
This is the copied from liuhuajin's security report reproducing instructions:
The following four API need to be known for this vulnerability:
1.Upload API : http://127.0.0.1:8983/solr/admin/configs?action=UPLOAD&name=conf1
2.Create Collection API http://127.0.0.1:8983/solr/admin/collections?action=CREATE&name=conf4&numShards=1&replicationFactor=1&wt=json&collection.configName=conf4
3.BACKUP API: http://127.0.0.1:8983/solr/admin/collections?action=BACKUP&collection=conf4&location=solrhome&name=conf4
4.RESTORE Backup API: http://127.0.0.1:8983/solr/admin/collections?action=RESTORE&collection=fy3&location=solrhome\server\solr\conf4\conf4\zk_backup_0\configs&name= conf4&collection.configName=noExist
Step one:I uploaded the malicious zip via the first API. The malicious zip contains a normal configuration set and backed up data.
The key files are as follows:
/solrconfig.xml --(Normal solrconfig.xml)
/conf4/zk_backup_0/configs/conf4/solrconfig.xml (malicious solrconfig.xml)