www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Uwe Schindler" <uschind...@apache.org>
Subject [SECURITY] CVE-2017-12629: Please secure your Apache Solr servers since a zero-day exploit has been reported on a public mailing list
Date Thu, 12 Oct 2017 23:39:14 GMT
Dear Apache Solr users, 

Please secure your Solr servers since a zero-day exploit has been 
reported on a public mailing list [1]. This has been assigned a public 
CVE (CVE-2017-12629) which we will reference in future communication 
about resolution and mitigation steps. 

Here is what we're recommending and what we're doing now: 

* Until fixes are available, all Solr users are advised to restart their 
Solr instances with the system parameter `-Ddisable.configEdit=true`. 
This will disallow any changes to be made to configurations via the 
Config API. This is a key factor in this vulnerability, since it allows 
GET requests to add the RunExecutableListener to the config. This is 
sufficient to protect you from this type of attack, but means you cannot 
use the edit capabilities of the Config API until the other fixes 
described below are in place. 

* A new release of Lucene/Solr was in the vote phase, but we have now 
pulled it back to be able to address these issues in the upcoming 7.1 
release. We will also determine mitigation steps for users on earlier 
versions, which may include a 6.6.2 release for users still on 6.x. 

* The RunExecutableListener will be removed in 7.1. It was previously 
used by Solr for index replication but has been replaced and is no 
longer needed. 

* The XML Parser will be fixed and the fixes will be included in the 7.1 

* The 7.1 release was already slated to include a change to disable the 
`stream.body` parameter by default, which will further help protect 

Thanks, The Apache Lucene/Solr team 

[1] : https://s.apache.org/FJDl 

Uwe Schindler
ASF Member, Apache Lucene PMC / Committer
Bremen, Germany

View raw message