apache solr: CVE-2017-12629 & CVE-2017-3163

[andir]

Issue description

There are at least two potential long-term security issues with the solr version in 17.09 (and potentially unstable):

• CVE-2017-3163:
  When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access.

• CVE-2017-12629
  Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr.

CC maintainers of solr: @rickynils @domenkozar

From what I can see with a simple search through nixpkgs the following packages are also potentially affected by this (since they ship their own copy of solr):

• riak 2.2.0 (CC @cstrahan @mdaiter)

[andir]

another attempt at this.. If no maintainer shows interest in at least upgrading those packages we should remove them.

@cstrahan @mdaiter @rickynils @domenkozar

[mdaiter]

@andir thanks for pinging. I'll upgrade riak to 2.2.3. Sadly, we've got to ship with our own version: Riak requires a specific basho-linked version of solr.

[mdaiter]

@andir sadly, don't have access to a Linux machine atm but here's a preliminary patch: mdaiter@a61893f

[andir]

@mdaiter Thank you for working on this!

Do you have references to the release notes of solr/riak in respect to those issues I linked initially?
I fail to make any sense of the changelogs in regards to the mentioned issues. That might just be me being confused by all the riak versions on their website. :/

[mdaiter]

@andir , sadly I have none :(

[aanderse]

@mdaiter @andir If either of you are familiar with solr I would appreciate some feedback and maybe testing regarding PR #49283.

Thanks

[andir]

@aanderse I am not familiar with the software. I will have a look anyway :)

[andir]

Thanks to @aanderse there solr issue is resolved as of now (on master).

So this still leaves the question of riak distributing their own (broken?) copy. Anyone familiar with it?

[c0bw3b]

Im' not familiar with this software but after some research I see that Riak 2.2.0+ search module (named Yokozuna) ships Solr 4.10.4
See:

nixpkgs/pkgs/servers/nosql/riak/2.2.0.nix

Line 4 in b352d47

solrName = "solr-4.10.4-yz-2.tgz";

and https://github.com/basho/yokozuna/blob/develop-2.2/tools/grab-solr.sh#L21

---

• CVE-2017-12629 : appeared with Solr 5.1 (source) so Riak is not affected ;
• CVE-2017-3163 : 4.10.x is concerned but unfixed upstream because EOS so nothing we can do here ; it's up to Basho to upgrade to Solr 5.5.4+ in Riak KV

---

Closing then?

[andir]

Yeah, it is a bit sad but let's close it. Should we mark riak as insecure then?

…

On Mon, 10 Dec 2018, 14:55 Renaud, ***@***.***> wrote: Im' not familiar with this software but after some research I see that Riak 2.2.0+ search module (named Yokozuna) ships Solr 4.10.4 See: https://github.com/NixOS/nixpkgs/blob/b352d47e42b5babe82d937b2d5c77476b663dd88/pkgs/servers/nosql/riak/2.2.0.nix#L4 and https://github.com/basho/yokozuna/blob/develop-2.2/tools/grab-solr.sh#L21 ------------------------------ - *CVE-2017-12629* : appeared with Solr 5.1 (source <https://www.exploit-db.com/exploits/43009>) so Riak is not affected ; - *CVE-2017-3163* : 4.10.x is concerned but unfixed upstream <https://lists.apache.org/thread.html/a6a33a186f293f9f9aecf3bd39c76252bfc49a79de4321dd2a53b488@%3Csolr-user.lucene.apache.org%3E> because EOS so nothing we can do here ; it's up to Basho to upgrade to Solr 5.5.4+ in Riak KV Closing then? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#33876 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAm_dCOHW5YeHkr7BGIoFd9_v9YU6pPzks5u3mfugaJpZM4Rd005> .

[c0bw3b]

I don't know if it let Solr API exposed or not though. If Riak search is exposed only to authenticated users on Riak admin backend then the exploit would be possible only for already-privileged users.

@cstrahan @mdaiter any idea here? (as riak maintainers)

[aanderse]

@andir no reply so let's mark riak as insecure and close this?

[aanderse]

Also related... #56294

[mdaiter]

@c0bw3b and @aanderse sorry for being a bit AWOL!

I think Riak and Riak-CS have stopped being maintained by Basho (hasn't been a single release since 2017 for riak-core) -- and I'd mark both as insecure.