[
https://issues.apache.org/jira/browse/SOLR-10624?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Shalin Shekhar Mangar resolved SOLR-10624.
------------------------------------------
Resolution: Fixed
> Security Vulnerability in secure inter-node communication in Apache Solr
> ------------------------------------------------------------------------
>
> Key: SOLR-10624
> URL: https://issues.apache.org/jira/browse/SOLR-10624
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: security, SolrCloud
> Affects Versions: 5.3, 5.5.4, 6.5, 6.5.1
> Reporter: Shalin Shekhar Mangar
> Assignee: Noble Paul
> Priority: Critical
> Fix For: 5.5.5, 7.0, 6.6
>
>
> Solr uses a PKI based mechanism to secure inter-node communication
> when security is enabled. It is possible to fake it by cleverly
> constructing a node name that does not exist and pointing to the
> attackers machine. This means, the system is only as secure as an
> unprotected Solr while the user believes it is secure.
> who is affected?
> This feature was introduced in SOLR-7849 (Solr 5.3). So, every release
> after 5.3 is vulnerable if they use this feature. Systems using
> BasicAuth are affected and any custom authentication implementations
> using this feature may also be vulnerable. However, Kerberos users are
> unaffected.
> What is the fix?
> The fix includes checking if the node name is actually a member of the
> live_nodes set.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
