[jira] (SOLR-16777) Schema Designer blindly "trusts" potentially malicious configset

Mon, 01 May 2023 23:31:06 -0700 


    [ https://issues.apache.org/jira/browse/SOLR-16777 ]


    Noble Paul deleted comment on SOLR-16777:
    -----------------------------------

was (Author: noble.paul):
{quote}I think the code should be determining if the user is trusted and then 
passing the correct value. 
{quote}
Actually no. We deliberately made this choice not to allow untrusted features 
for configsets uploaded though API 

> Schema Designer blindly "trusts" potentially malicious configset
> ----------------------------------------------------------------
>
>                 Key: SOLR-16777
>                 URL: https://issues.apache.org/jira/browse/SOLR-16777
>             Project: Solr
>          Issue Type: Bug
>    Affects Versions: 9.0, 8.10, 8.11.2, 9.1, 9.2, 9.1.1
>            Reporter: Ishan Chattopadhyaya
>            Assignee: Ishan Chattopadhyaya
>            Priority: Blocker
>             Fix For: 9.2.2
>
>         Attachments: SOLR-16777.patch
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> When configset API is used to upload configsets by unauthenticated users, a 
> "trusted: false" flag is set on the configset. Such configsets cannot use the 
> <lib> directive to load classes while creating/loading collections. Details 
> here: https://solr.apache.org/guide/8_10/configsets-api.html#configsets-upload
> Unfortunately, this safety mechanism was bypassed in the schema designer when 
> a isConfigsetTrusted was hardcoded to true. 
> [https://github.com/apache/solr/blob/branch_9_1/solr/core/src/java/org/apache/solr/handler/designer/SchemaDesignerConfigSetHelper.java#L697]
>  
> As per Skay's report 
> [https://twitter.com/Skay_00/status/1646870062601756672|https://twitter.com/Skay_00/status/1646870062601756672),]
>  remote code execution is possible in unsecured Solr clusters where 
> authentication hasn't been enabled. This ticket is to mitigate one aspect of 
> that, i.e. the schema designer vulnerability. While our recommendation to all 
> users remains the same, i.e. to secure Solr installations with authentication 
> and authorization, I thank Skay for his detailed report.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to