[jira] [Commented] (SOLR-11482) CVE-2017-12629: Remove RunExecutableListener from Solr

Wed, 18 Oct 2017 05:37:23 -0700 

    [ 
https://issues.apache.org/jira/browse/SOLR-11482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16209256#comment-16209256
 ] 

Uwe Schindler commented on SOLR-11482:
--------------------------------------

Thanks, +1

> CVE-2017-12629: Remove RunExecutableListener from Solr
> ------------------------------------------------------
>
>                 Key: SOLR-11482
>                 URL: https://issues.apache.org/jira/browse/SOLR-11482
>             Project: Solr
>          Issue Type: Task
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: security, Server
>            Reporter: Uwe Schindler
>            Assignee: Uwe Schindler
>            Priority: Blocker
>             Fix For: 5.5.5, 7.1, 7.2, master (8.0), 6.6.2
>
>         Attachments: SOLR-11482-6.6.patch, 
> SOLR-11482-branch_5_5-restore-logged-warning.patch, SOLR-11482.patch
>
>
> This class should no longer be needed, as replication can be done through 
> Solr Cloud or via ReplicationHandler. The current listener is a security 
> risk, as it can be configured through the Config API. See the report:
> Solr "RunExecutableListener" class can be used to execute arbitrary commands 
> on specific events, for example after each update query. The problem is that 
> such listener can be enabled with any parameters just by using Config API 
> with add-listener command.
> {noformat}
> POST /solr/newcollection/config HTTP/1.1
> Host: localhost:8983
> Connection: close
> Content-Type: application/json  
> Content-Length: 198
> {
>   "add-listener" : {
>     "event":"postCommit",
>     "name":"newlistener",
>     "class":"solr.RunExecutableListener",
>     "exe":"ANYCOMMAND",
>     "dir":"/usr/bin/",
>     "args":["ANYARGS"]
>   }
> }
> {noformat}
> Parameters "exe", "args" and "dir" can be crafted throught the HTTP request 
> during modification of the collection's config. This means that anybody who 
> can send a HTTP request to Solr API is able to execute arbitrary shell 
> commands when "postCommit" event is fired. It leads to execution of arbitrary 
> remote code for a remote attacker.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to