[jira] [Updated] (SOLR-14025) CVE-2019-17558: Velocity response writer RCE vulnerability persists after 8.3.1

Wed, 19 Feb 2020 12:16:09 -0800 


     [ 
https://issues.apache.org/jira/browse/SOLR-14025?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Houston Putman updated SOLR-14025:
----------------------------------
    Fix Version/s: 7.7.3

> CVE-2019-17558: Velocity response writer RCE vulnerability persists after 
> 8.3.1
> -------------------------------------------------------------------------------
>
>                 Key: SOLR-14025
>                 URL: https://issues.apache.org/jira/browse/SOLR-14025
>             Project: Solr
>          Issue Type: Bug
>          Components: contrib - Velocity
>    Affects Versions: 8.3.1
>            Reporter: Ishan Chattopadhyaya
>            Assignee: Erik Hatcher
>            Priority: Blocker
>             Fix For: 7.7.3, 8.4
>
>         Attachments: SOLR-14025.patch, SOLR-14025.patch, SOLR-14025.patch, 
> SOLR-14025.patch, SOLR-14025.patch
>
>
> [~gezapeti] from Cloudera kindly reported this to me:
> {code}
> Hi Ishan! I’d like to raise (yet an other) issue with SOLR-13971 and the 
> Velocity templates. I’m working at Cloudera on Solr and have taken the time 
> to test out whether the fix in 8.3.1 is sufficient to mitigate the issue. The 
> sad thing is: It’s possible to upload a properties file into ZK and add the 
> resource loaders in that file. I think we should add yet-an-other option to 
> make the init-from-property file functionality off by default.
> https://github.com/apache/lucene-solr/blob/master/solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java#L73
>  this property loads the file here 
> https://github.com/apache/lucene-solr/blob/master/solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java#L141
> solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java:73
> <https://github.com/apache/lucene-solr|apache/lucene-solr>apache/lucene-solr 
> | Added by GitHub
> solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java:141
> <https://github.com/apache/lucene-solr|apache/lucene-solr>apache/lucene-solr 
> | Added by GitHub
> {code}
> Seems like our mitigation wasn't good enough, there's another way to load 
> resources.
> I've requested him to follow procedure here 
> (https://cwiki.apache.org/confluence/display/solr/SolrSecurity). Meanwhile, I 
> opened this JIRA anyway.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to