CVE-2017-7660: Security Vulnerability in secure inter-node
communication in Apache Solr

Severity: Important

The Apache Software Foundation

Versions Affected:
Solr 5.3 to 5.5.4
Solr 6.0 to 6.5.1


Solr uses a PKI based mechanism to secure inter-node communication
when security is enabled. It is possible to create a specially crafted
node name that does not exist as part of the cluster and point it to a
malicious node. This can trick the nodes in cluster to believe that
the malicious node is a member of the cluster. So, if Solr users have
enabled BasicAuth authentication mechanism using the BasicAuthPlugin
or if the user has implemented a custom Authentication plugin, which
does not implement either "HttpClientInterceptorPlugin" or
"HttpClientBuilderPlugin", his/her servers are vulnerable to this
attack. Users who only use SSL without basic authentication or those
who use Kerberos are not affected.

6.x users should upgrade to 6.6
5.x users should obtain the latest source from git and apply this patch:

This issue was discovered by Noble Paul of Lucidworks Inc.


The Lucene PMC

Reply via email to