From general-return-5206-archive-asf-public=cust-asf.ponee.io@lucene.apache.org Mon Dec 30 13:14:14 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 89D2A180657 for ; Mon, 30 Dec 2019 14:14:14 +0100 (CET) Received: (qmail 36100 invoked by uid 500); 30 Dec 2019 13:14:01 -0000 Mailing-List: contact general-help@lucene.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: general@lucene.apache.org Delivered-To: mailing list general@lucene.apache.org Received: (qmail 35974 invoked by uid 99); 30 Dec 2019 13:14:00 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 30 Dec 2019 13:14:00 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 4D6E61A3183; Mon, 30 Dec 2019 13:14:00 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.001 X-Spam-Level: X-Spam-Status: No, score=-0.001 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-ec2-va.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id pQciW2uzfkJ4; Mon, 30 Dec 2019 13:13:56 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.167.68; helo=mail-lf1-f68.google.com; envelope-from=erik.hatcher@gmail.com; receiver= Received: from mail-lf1-f68.google.com (mail-lf1-f68.google.com [209.85.167.68]) by mx1-ec2-va.apache.org (ASF Mail Server at mx1-ec2-va.apache.org) with ESMTPS id 6937DBC509; Mon, 30 Dec 2019 13:13:56 +0000 (UTC) Received: by mail-lf1-f68.google.com with SMTP id 9so25110396lfq.10; Mon, 30 Dec 2019 05:13:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=DAks7MPRyQut+DIUPFCTwlw1tigSnrU8vM7h7OD97y0=; b=Zyz5oMvBbiWrsJmu+gra0kS+Uft+Jb7u39/smN40jXcJ98F5ZPxFO6oyNg0HplCGu5 ste5URQZKPkxgjTcoZ7oZmU/IhvGn3y03asO4XEk6DSISnCXWldN3HYRMrNBb6ymRkQ6 65c2EiPZlgZMyajW1RzDy/bZBuCiLRrtW/TUrwBivnYwCpYdbBHwzhJFr4JLdL2gbePr sp8l1Kl89l8Q3q+hfYMUzt+1WINKV3PmhNAZOAIKchh+idsUJApBW1HQ7Jpy6NVUw6Ro i4uVLbgv2X1Bz3SZvAbepB5PDNRukCAqFE28rSRK9DoNGEb/CbVTYaM09N4na3DT0emq ipaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=DAks7MPRyQut+DIUPFCTwlw1tigSnrU8vM7h7OD97y0=; b=IqQoQNhHZoUtOAcwOxRqRabW3eQeTdYRRhFykn03JhNkI5sfEGDCgaGrMYzsvTDmpq XpzSUgK26PBafAlyf89zmBcniPGn1IkCetuOjxFOdRwU9ZJie1I8tfa4phZki58wuxNS 0fsgB5escmWyhOtZfqT9pwSoiFlV0chxPrxdS5hJcD9/5pA9fHNVGCm0fjZsgax3DwTj mLSQIxlxBA9tELeBfmtV1bOJG8+TmvBTphb3CQ7+vkjAHHOZDWt/Be1LZZYDKddP2KaB DhGMi0ldweQambDGRuBGpi7yvP8yKYNDRXVwufVoXKlaR77lKi+EUKF9NbrKzb2iUSDp YvvA== X-Gm-Message-State: APjAAAUTVKMmL/iyQ1OUaQ5SOdOMT9mQoV3V2/CCp2EIs9VRU73R0MLt gdZe251mMc+2zG9qOaO2Kdr+45G7vmmz2QkC9gT5KR/b1WM= X-Google-Smtp-Source: APXvYqwqrTs2cfRe/AKF1j7aQTYnqjzlTJaw0WKo+N1uK0BC6Ymq7e8UmUWL3BLLyy+ciPHv3sV1yZuuyDqxEJtH6vc= X-Received: by 2002:ac2:51a4:: with SMTP id f4mr40187409lfk.76.1577711628796; Mon, 30 Dec 2019 05:13:48 -0800 (PST) MIME-Version: 1.0 From: Erik Hatcher Date: Mon, 30 Dec 2019 08:13:38 -0500 Message-ID: Subject: [CVE-2019-17558] Apache Solr RCE through VelocityResponseWriter To: "Lucene/Solr dev" , general@lucene.apache.org, solr-user@lucene.apache.org, Apache Security Team , security@lucene.apache.org, announce@apache.org Content-Type: multipart/alternative; boundary="00000000000031483f059aeb9d18" --00000000000031483f059aeb9d18 Content-Type: text/plain; charset="UTF-8" [CVE-2019-17558] Apache Solr RCE through VelocityResponseWriter Severity: High Vendor: The Apache Software Foundation Versions Affected: 5.0.0 to 8.3.1 Description: The affected versions are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset `velocity/` directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting `params.resource.loader.enabled` by defining a response writer with that setting set to `true`. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is `trusted` (has been uploaded by an authenticated user). Mitigation: Ensure your network settings are configured so that only trusted traffic communicates with Solr, especially to the configuration APIs. Credits: Github user `s00py` References: * https://cwiki.apache.org/confluence/display/solr/SolrSecurity * https://issues.apache.org/jira/browse/SOLR-13971 * https://issues.apache.org/jira/browse/SOLR-14025 --00000000000031483f059aeb9d18--