From general-return-5078-archive-asf-public=cust-asf.ponee.io@lucene.apache.org Wed Jul 4 23:15:35 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id AE21C180608 for ; Wed, 4 Jul 2018 23:15:34 +0200 (CEST) Received: (qmail 96744 invoked by uid 500); 4 Jul 2018 21:15:28 -0000 Mailing-List: contact general-help@lucene.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: general@lucene.apache.org Delivered-To: mailing list general@lucene.apache.org Received: (qmail 96709 invoked by uid 99); 4 Jul 2018 21:15:27 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Jul 2018 21:15:27 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 7E8E2C0024; Wed, 4 Jul 2018 21:15:27 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.889 X-Spam-Level: * X-Spam-Status: No, score=1.889 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id W_4tC0znNXiH; Wed, 4 Jul 2018 21:15:26 +0000 (UTC) Received: from mail-lf0-f44.google.com (mail-lf0-f44.google.com [209.85.215.44]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 7652C5F183; Wed, 4 Jul 2018 21:15:25 +0000 (UTC) Received: by mail-lf0-f44.google.com with SMTP id j8-v6so5258126lfb.4; Wed, 04 Jul 2018 14:15:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TuUJl1iwwrJd/AhERm8+oxDQGUUrsprYFQNeJkq1HK8=; b=hxw2mwm4WOez/cj8Jzuopvls9TGkkq+31zServtq7OSbGRj4t53kP5HEt7OydF2lu7 jnJABPILJv4HuaZF3nqL6CYfFp4Fy56Je1B7vtJOdsBVe2q1T/FYXIGUperAJLv3ZNaO 9+ViNNGPu8ByXNsdc9hBphanugkCxNaRzwD4Wm2pg+6lvOVbn2CoHrJwcaK0/brm7eV0 s3dqeYVF67IlR4Zlm+PxGrm7gSQ+gYGn+Zt532LpVCch/demCVbZeavlHhgFB+AfFS71 wUiY21ZyRO0LnhiQtfAU2KVceLi0w6vQ2UePxkbl4eEf1TkMXaqGhCHeU6dcGPB5vdZF 4N5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TuUJl1iwwrJd/AhERm8+oxDQGUUrsprYFQNeJkq1HK8=; b=AxCTgAHlIztrmm6JNeAeJvE0mfwyAOGS8tPdfFEIjxKTZ4iT1Ls3YJ8j7dYyynOd5Z Ev7O2AKtIHdHreyDVZneLKa3L+7BaT9fL4SvjsZqXPp/JotnAhDuGvhSIC5bnkxK8nkf /ZnwQpZddyvsP2q/NLzJ0f47R1EqzrTGRz5xzHnM5mVnM12sH1JGC+2vp0HTRkIrtGqL h5E70sldnTQqWCCJcJ0YUeAiSDjk2vomg68edBiQxUZfH/jfKYFPQR1hGIQg9vuofrkN vXKRB1QA4D2BJT0yzbHxK89SYPelhUCDglf3FsvEEyoqYkjKdrt12SLoBv2aduyVewuo wLJw== X-Gm-Message-State: APt69E2Kaa4W6D01VlSyEs5PQeunOlbZNfb8KiavkUJR00Bv1uo4+pJr lxbv5M/w7AhAND7VVdejQ28TJdpqHdrmVdnPcXjX3g== X-Google-Smtp-Source: AAOMgpeew3zuwJomO6a01oaYnhI3IABHJ6ouy63MsN1eUgdyVDFbSgq8eR9anQggl+kuMumIOSmFNL2OPVKaB9jPjF0= X-Received: by 2002:a19:7403:: with SMTP id v3-v6mr2400172lfe.97.1530738924678; Wed, 04 Jul 2018 14:15:24 -0700 (PDT) MIME-Version: 1.0 References: <0cdc01d413b7$f97ba580$ec72f080$@apache.org> In-Reply-To: <0cdc01d413b7$f97ba580$ec72f080$@apache.org> From: will martin Date: Wed, 4 Jul 2018 17:15:13 -0400 Message-ID: Subject: Re: [SECURITY] CVE-2018-8026: XXE vulnerability due to Apache Solr configset upload (exchange rate provider config / enum field config / TIKA parsecontext) To: general@lucene.apache.org Cc: announce@apache.org, dev@lucene.apache.org, solr-user@lucene.apache.org, security , oss-security@lists.openwall.com Content-Type: multipart/alternative; boundary="000000000000d97365057032ed1b" --000000000000d97365057032ed1b Content-Type: text/plain; charset="UTF-8" The cve id was reserved in April. The jira ticket 1 mo ago. Is this the first notice to this list? Thx On Wed, Jul 4, 2018, 12:56 PM Uwe Schindler wrote: > CVE-2018-8026: XXE vulnerability due to Apache Solr configset upload > (exchange rate provider config / enum field config / TIKA parsecontext) > > Severity: High > > Vendor: > The Apache Software Foundation > > Versions Affected: > Solr 6.0.0 to 6.6.4 > Solr 7.0.0 to 7.3.1 > > Description: > The details of this vulnerability were reported by mail to the Apache > security mailing list. > This vulnerability relates to an XML external entity expansion (XXE) in > Solr > config files (currency.xml, enumsConfig.xml referred from schema.xml, > TIKA parsecontext config file). In addition, Xinclude functionality > provided > in these config files is also affected in a similar way. The vulnerability > can > be used as XXE using file/ftp/http protocols in order to read arbitrary > local files from the Solr server or the internal network. The manipulated > files can be uploaded as configsets using Solr's API, allowing to exploit > that vulnerability. See [1] for more details. > > Mitigation: > Users are advised to upgrade to either Solr 6.6.5 or Solr 7.4.0 releases > both > of which address the vulnerability. Once upgrade is complete, no other > steps > are required. Those releases only allow external entities and Xincludes > that > refer to local files / zookeeper resources below the Solr instance > directory > (using Solr's ResourceLoader); usage of absolute URLs is denied. Keep in > mind, that external entities and XInclude are explicitly supported to > better > structure config files in large installations. Before Solr 6 this was no > problem, as config files were not accessible through the APIs. > > If users are unable to upgrade to Solr 6.6.5 or Solr 7.4.0 then they are > advised to make sure that Solr instances are only used locally without > access > to public internet, so the vulnerability cannot be exploited. In addition, > reverse proxies should be guarded to not allow end users to reach the > configset APIs. Please refer to [2] on how to correctly secure Solr > servers. > > Solr 5.x and earlier are not affected by this vulnerability; those versions > do not allow to upload configsets via the API. Nevertheless, users should > upgrade those versions as soon as possible, because there may be other ways > to inject config files through file upload functionality of the old web > interface. Those versions are no longer maintained, so no deep analysis was > done. > > Credit: > Yuyang Xiao, Ishan Chattopadhyaya > > References: > [1] https://issues.apache.org/jira/browse/SOLR-12450 > [2] https://wiki.apache.org/solr/SolrSecurity > > ----- > Uwe Schindler > uschindler@apache.org > ASF Member, Apache Lucene PMC / Committer > Bremen, Germany > http://lucene.apache.org/ > > > --000000000000d97365057032ed1b--