[
https://issues.apache.org/jira/browse/SOLR-11184?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Cassandra Targett updated SOLR-11184:
-------------------------------------
Security: Public (was: Private (Security Issue))
> Security vulnerability in delegation token functionality
> --------------------------------------------------------
>
> Key: SOLR-11184
> URL: https://issues.apache.org/jira/browse/SOLR-11184
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: security, SolrCloud
> Affects Versions: 6.2, 6.3, 6.4, 6.4.1, 6.4.2, 6.5, 6.5.1, 6.6
> Reporter: Shalin Shekhar Mangar
> Assignee: Shalin Shekhar Mangar
> Fix For: 6.6.1, 7.0, master (8.0)
>
> Attachments: unit_test_fix.patch, zk_acl_fix.patch,
> zk_acl_fix_6x.patch
>
>
> ---------- Forwarded message ----------
> From: Hrishikesh Gadre <gadre.s...@gmail.com>
> Date: Sat, Jul 22, 2017 at 3:59 AM
> Subject: Apache Solr - security vulnerability (delegation token functionality)
> To: secur...@apache.org
> Hi,
> We found a security vulnerability in the delegation token
> functionality in Solr. This feature was added in Solr in 6.2 release
> (SOLR-9200).
> The delegation token functionality provided by Hadoop authentication
> uses Apache curator framework to store the security related metadata.
> Solr uses /security directory to store this information.
> There are two issues with this functionality (when using
> SecurityAwareZkACLProvider type of ACL provider e.g.
> SaslZkACLProvider),
> The ACLs for /security znode are configured as (‘world’,’anyone’) even
> though the implementation of SecurityAwareZkACLProvider intends to
> restrict access only for the solr super user.
> The znodes under /security directory (e.g. /security/token) are
> configured just like any other configuration file (i.e. modifiable by
> solr admin and readable by world). SecurityAwareZkACLProvider on the
> other hand intends to restrict access only for the solr super user.
> The possible consequences of this vulnerability are severe. e.g.
> (a) a malicious user can read the security tokens in Zookeeper and
> gain access to the Solr cluster.
> (b) a malicious user can delete the security related metadata in
> Zookeeper and disrupt operations performed by authenticated users.
> This is possible since the (‘world’,’anyone’) permission on /security
> directory allows attacker to delete the child znodes under that path.
> Please find the attached patch which includes a unit test and the fix.
> Let me know if any additional information required from my side.
> Thanks
> Hrishikesh
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
