[
https://issues.apache.org/jira/browse/SOLR-13750?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tomás Fernández Löbbe updated SOLR-13750:
-----------------------------------------
Security: Public (was: Private (Security Issue))
> [CVE-2019-12401] XML Bomb in Apache Solr versions prior to 5.0.0
> ----------------------------------------------------------------
>
> Key: SOLR-13750
> URL: https://issues.apache.org/jira/browse/SOLR-13750
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 1.3, 1.4, 1.4.1, 3.1, 3.2, 3.3, 3.4, 3.5, 3.6, 3.6.1,
> 3.6.2, 4.0, 4.1, 4.2, 4.2.1, 4.3, 4.3.1, 4.4, 4.5, 4.5.1, 4.6, 4.6.1, 4.7,
> 4.7.1, 4.7.2, 4.8, 4.8.1, 4.9, 4.9.1, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4
> Reporter: Tomás Fernández Löbbe
> Priority: Major
> Fix For: 5.0
>
>
> Severity: Medium
> Vendor: The Apache Software Foundation
> Versions Affected:
> 1.3.0 to 1.4.1
> 3.1.0 to 3.6.2
> 4.0.0 to 4.10.4
> Description:
> Solr versions prior to 5.0.0 are vulnerable to an XML resource consumption
> attack (a.k.a. Lol Bomb) via it’s update handler.
> By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create
> a pattern that will expand when the server parses the XML causing OOMs.
> Mitigation:
> * Upgrade to Apache Solr 5.0 or later.
> * Ensure your network settings are configured so that only trusted traffic
> is allowed to post documents to the running Solr instances.
> Credit:
> Matei "Mal" Badanoiu
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
