[ https://issues.apache.org/jira/browse/SOLR-11184?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Cassandra Targett updated SOLR-11184: ------------------------------------- Security: Public (was: Private (Security Issue)) > Security vulnerability in delegation token functionality > -------------------------------------------------------- > > Key: SOLR-11184 > URL: https://issues.apache.org/jira/browse/SOLR-11184 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: security, SolrCloud > Affects Versions: 6.2, 6.3, 6.4, 6.4.1, 6.4.2, 6.5, 6.5.1, 6.6 > Reporter: Shalin Shekhar Mangar > Assignee: Shalin Shekhar Mangar > Fix For: 6.6.1, 7.0, master (8.0) > > Attachments: unit_test_fix.patch, zk_acl_fix.patch, > zk_acl_fix_6x.patch > > > ---------- Forwarded message ---------- > From: Hrishikesh Gadre <gadre.s...@gmail.com> > Date: Sat, Jul 22, 2017 at 3:59 AM > Subject: Apache Solr - security vulnerability (delegation token functionality) > To: secur...@apache.org > Hi, > We found a security vulnerability in the delegation token > functionality in Solr. This feature was added in Solr in 6.2 release > (SOLR-9200). > The delegation token functionality provided by Hadoop authentication > uses Apache curator framework to store the security related metadata. > Solr uses /security directory to store this information. > There are two issues with this functionality (when using > SecurityAwareZkACLProvider type of ACL provider e.g. > SaslZkACLProvider), > The ACLs for /security znode are configured as (‘world’,’anyone’) even > though the implementation of SecurityAwareZkACLProvider intends to > restrict access only for the solr super user. > The znodes under /security directory (e.g. /security/token) are > configured just like any other configuration file (i.e. modifiable by > solr admin and readable by world). SecurityAwareZkACLProvider on the > other hand intends to restrict access only for the solr super user. > The possible consequences of this vulnerability are severe. e.g. > (a) a malicious user can read the security tokens in Zookeeper and > gain access to the Solr cluster. > (b) a malicious user can delete the security related metadata in > Zookeeper and disrupt operations performed by authenticated users. > This is possible since the (‘world’,’anyone’) permission on /security > directory allows attacker to delete the child znodes under that path. > Please find the attached patch which includes a unit test and the fix. > Let me know if any additional information required from my side. > Thanks > Hrishikesh -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org