From general-return-4993-apmail-lucene-general-archive=lucene.apache.org@lucene.apache.org Mon Sep 18 17:45:06 2017 Return-Path: X-Original-To: apmail-lucene-general-archive@www.apache.org Delivered-To: apmail-lucene-general-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 37DA9C3DE for ; Mon, 18 Sep 2017 17:45:06 +0000 (UTC) Received: (qmail 3397 invoked by uid 500); 18 Sep 2017 17:44:56 -0000 Delivered-To: apmail-lucene-general-archive@lucene.apache.org Received: (qmail 3034 invoked by uid 500); 18 Sep 2017 17:44:56 -0000 Mailing-List: contact general-help@lucene.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: general@lucene.apache.org Delivered-To: mailing list general@lucene.apache.org Received: (qmail 3000 invoked by uid 99); 18 Sep 2017 17:44:56 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 18 Sep 2017 17:44:56 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 9C30018375D; Mon, 18 Sep 2017 17:44:55 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.48 X-Spam-Level: X-Spam-Status: No, score=0.48 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id fpcYXa74tzqk; Mon, 18 Sep 2017 17:44:54 +0000 (UTC) Received: from mail-it0-f47.google.com (mail-it0-f47.google.com [209.85.214.47]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 157685FB76; Mon, 18 Sep 2017 17:44:54 +0000 (UTC) Received: by mail-it0-f47.google.com with SMTP id w204so1497643itc.4; Mon, 18 Sep 2017 10:44:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to; bh=9ybjrgCPwuIFGbtYbySYCFhQVcI2saG5FXZv+PXGS7g=; b=GgJ8va9ajWftwiHlQ7gelWq9dABa0RER/Xas7uXqbzOAxwrhxcTe1OeeLqQwOPhuJr 3qoSVJDWWQguLWboWvUbVuyd99PDuRZmx0HLyoc3UrZSifp6UBm6sUcs22pKuMnMJnhA 3c44sccJuDT+VnwU/pt4IdLz7Ml7oWwQBzRgDHOehXcC8uV57VTHtk53WoQeijZXnlB8 zVtzoYYKfpkwy2nNWbSG64y4I16e+by/xL22jqV7sA4f+EY4ZL1L5fgNDLxutVLaUrwH GqMCx5JG4pxjrYKlVHuQooaFP2VkkvSJGAeegdvINYvrXlWV3v4LN8n+LQxwAf3WG07s Akuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=9ybjrgCPwuIFGbtYbySYCFhQVcI2saG5FXZv+PXGS7g=; b=Fx7LbwgUza/2gFLOEAxvZzgyatOte3Ys12+2XBWDqf70zGprQIwZ6qW4/0wpEuNabS 33dQZgMMmORZd90DBgZ2hrIDW+9dxFgaG3rlv5MZOh7BZamDvM7BUTp0ISSMJdUiGWMt pgKDE8TwV9WumJxAUJddt7OV3yozFPvxIeoRYxdiqlzI/8YABbLjpKBsNXqC9dnxXtYY ZnDq1KhxzR1Syln+6TRgqH+Mbqag7B4fNEn9vTulYY1SzzdSFF+XKEh/sSr9VWWAPKHl PHTirpSEUfSN/4/gqIJ0YVHuteowl2wAaLj6Le7yUgQWugKdMLG/a3M0OdRlPJLf2wFx KeoA== X-Gm-Message-State: AHPjjUgcnmlygavIVD7b3lPkkoyjRAwvNt1vwmTvIZDVHY9e8NE2VwRJ Lmc3Dgz/hB76f7jy5lIXfCf9bpuxeU/OY1f4PpWTuTyV X-Google-Smtp-Source: AOwi7QCB2gVLs0z1D+GRCSebLvkVkBJFPt8TUhftRPBM0ONEoOtfJxDELbypwsDBK5ggvipOHrOIDxAnHGhe78JWi3A= X-Received: by 10.36.2.204 with SMTP id 195mr17437070itu.35.1505756692411; Mon, 18 Sep 2017 10:44:52 -0700 (PDT) MIME-Version: 1.0 Sender: shalinmangar@gmail.com Received: by 10.79.133.3 with HTTP; Mon, 18 Sep 2017 10:44:51 -0700 (PDT) From: Shalin Shekhar Mangar Date: Mon, 18 Sep 2017 10:44:51 -0700 X-Google-Sender-Auth: k4E9SVVTgzHm52TXEsytv_2GRdM Message-ID: Subject: CVE-2017-9803: Security vulnerability in kerberos delegation token functionality To: Lucene mailing list , java-user@lucene.apache.org, solr-user@lucene.apache.org, announce@apache.org, Hrishikesh Gadre , security Content-Type: text/plain; charset="UTF-8" CVE-2017-9803: Security vulnerability in kerberos delegation token functionality Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Solr 6.2.0 to 6.6.0 Description: Solr's Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an end-user or another application. There are two issues with this functionality (when using SecurityAwareZkACLProvider type of ACL provider e.g. SaslZkACLProvider), Firstly, access to the security configuration can be leaked to users other than the solr super user. Secondly, malicious users can exploit this leaked configuration for privilege escalation to further expose/modify private data and/or disrupt operations in the Solr cluster. The vulnerability is fixed from Solr 6.6.1 onwards. Mitigation: 6.x users should upgrade to 6.6.1 Credit: This issue was discovered by Hrishikesh Gadre of Cloudera Inc. References: https://issues.apache.org/jira/browse/SOLR-11184 https://wiki.apache.org/solr/SolrSecurity -- The Lucene PMC