[
https://issues.apache.org/jira/browse/SOLR-13949?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Smiley updated SOLR-13949:
--------------------------------
Security: (was: Private (Security Issue))
I'm removing the Security Level as this is not about any vulnerability but a
safety/preventative technique.
> Security peace of mind: use forbidden APIs to prohibit (future) use of
> third-party dep APIs that are exploitable
> ----------------------------------------------------------------------------------------------------------------
>
> Key: SOLR-13949
> URL: https://issues.apache.org/jira/browse/SOLR-13949
> Project: Solr
> Issue Type: Improvement
> Reporter: Chris M. Hostetter
> Priority: Major
> Attachments: SOLR-13949.patch
>
>
> An example of a situation that could lead to a general purpose approach to
> addressing concerns about security vulnerabilities in third-party librariesĀ
> used by solr, but not exploitable via solr...
> ----
> jackson-databind has had an onslaught of CVEs filed against it since ~2017
> related to exploitable "gadgets" when dealing with polymorphic type
> handling...
> *
> [https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062]
> * [https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2]
> Solr doesn't use polymorphic type handling in jackson-databind, but it might
> help give folks using automated vulnerability scanners piece of mind if we
> configured forbidden-apis to prohibit any (hypothetical future) attempt at
> using the jackson APIs that enable polymorphic type handling...
> * {{JsonTypeInfo.Id.CLASS}}
> * {{ObjectMapper.enableDefaultTyping(...)}}
> * {{ObjectMapper.activateDefaultTyping(...)}}
> ** This is the "safe" version introduced in 2.10 (which we don't even use
> yet) that requires a whitelist of safe polymorphic packages/classes - but we
> should prohibit it too just to prevent any future concern about people
> miss-using it.
> ...we could then update to Security wiki page row related to jackson to
> indicate that any _additional_ CVEs related to polymorphic typing, regardless
> of jackson version, are not applicable to solr due to build system enforced
> constraints preventing the use of polymorphic type handling
> ----
> This general approach could probably be applied to other situations where
> library X has functionality Y that is exploitable, but only when using
> method/class {{Y.doSomeYStuff(...)}} ... if we don't currently need to use
> that functionality, why not blacklist via forbidden APIs to ensure it never
> gets (miss)-used?
> (NOTE: I've set the security level of this issue to "private" purely in an
> effort to reduceĀ the panic that frequently occurs anytime an issue mentions
> security and isn't immediately followed by a patch release)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
