[jira] [Commented] (SOLR-13301) [CVE-2019-0192] Deserialization of untrusted data via jmx.serviceUrl

Mon, 11 Mar 2019 01:54:33 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-13301?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16789307#comment-16789307
 ] 

charlie zha commented on SOLR-13301:
------------------------------------

Hi Tomas,

In the description: ConfigAPI allows to configure Solr's JMX server via an HTTP 
POST request. "HTTP POST" does it refer to public network? or white list 
network?

Thanks,

Charlie

> [CVE-2019-0192] Deserialization of untrusted data via jmx.serviceUrl
> --------------------------------------------------------------------
>
>                 Key: SOLR-13301
>                 URL: https://issues.apache.org/jira/browse/SOLR-13301
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: config-api
>    Affects Versions: 5.0, 5.1, 5.2, 5.2.1, 5.3, 5.3.1, 5.3.2, 5.4, 5.4.1, 
> 5.5, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 6.0, 6.0.1, 6.1, 6.1.1, 6.2, 6.2.1, 
> 6.3, 6.4, 6.4.1, 6.4.2, 6.5, 6.5.1, 6.6, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5
>            Reporter: Tomás Fernández Löbbe
>            Priority: Critical
>             Fix For: 7.0
>
>         Attachments: SOLR-13301.patch
>
>
> From the vulnerability reporter:
> {quote}ConfigAPI allows to set a jmx.serviceUrl that will create a new 
> [JMXConnectorServerFactory|https://docs.oracle.com/javase/7/docs/api/javax/management/remote/JMXConnectorServerFactory.html]
>  and trigger a call with 'bind' operation to a target RMI/LDAP server. A 
> malicious RMI server could respond with arbitrary object that will be 
> deserialized on the Solr side using java's ObjectInputStream, which is 
> considered unsafe. This type of vulnerabilities can be exploited with 
> ysoserial tool. Depending on the target classpath, an attacker can use one of 
> the "gadget chains" to trigger Remote Code Execution on the Solr side.
> {quote}
> Mitigation:
>  Any of the following are enough to prevent this vulnerability:
>  * Upgrade to Apache Solr 7.0 or later.
>  * Disable the ConfigAPI if not in use, by running Solr with the system 
> property {{disable.configEdit=true}}
>  * If upgrading or disabling the Config API are not viable options, apply 
> [^SOLR-13301.patch] and re-compile Solr.
>  * Ensure your network settings are configured so that only trusted traffic 
> is allowed to ingress/egress your hosts running Solr.
> Since Solr 7.0, JMX server is no longer configurable via API



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to