[
https://issues.apache.org/jira/browse/SOLR-17418?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Houston Putman updated SOLR-17418:
----------------------------------
Security: (was: Private (Security Issue))
> ConfigSets created during a backup Restore command are trusted implicitly
> -------------------------------------------------------------------------
>
> Key: SOLR-17418
> URL: https://issues.apache.org/jira/browse/SOLR-17418
> Project: Solr
> Issue Type: Bug
> Components: Backup/Restore
> Reporter: Houston Putman
> Assignee: Houston Putman
> Priority: Blocker
> Fix For: 8.11.3, 9.7
>
> Attachments: SOLR-17418-1.patch, SOLR-17418-2.patch,
> SOLR-17418-3.patch, SOLR-17418.patch
>
>
> ConfigSets that are created via a Restore command, which basically copy a
> configSet from the backup and give it a new name, are created without setting
> the "trusted" metadata. And configSets that do not contain the flag are
> trusted implicitly if the metadata is missing.
> This can lead to an RCE if a user constructs their configSet cleverly.
> This is the copied from liuhuajin's security report reproducing instructions:
> {quote}The following four API need to be known for this vulnerability:
> 1.Upload API :
> [http://127.0.0.1:8983/solr/admin/configs?action=UPLOAD&name=conf1]
> 2.Create Collection API
> [http://127.0.0.1:8983/solr/admin/collections?action=CREATE&name=conf4&numShards=1&replicationFactor=1&wt=json&collection.configName=conf4]
> 3.BACKUP API:
> [http://127.0.0.1:8983/solr/admin/collections?action=BACKUP&collection=conf4&location=solrhome&name=conf4]
> 4.RESTORE Backup API:
> [http://127.0.0.1:8983/solr/admin/collections?action=RESTORE&collection=fy3&location=solrhome\server\solr\conf4\conf4\zk_backup_0\configs&name|http://127.0.0.1:8983/solr/admin/collections?action=RESTORE&collection=fy3&location=solrhome%5Cserver%5Csolr%5Cconf4%5Cconf4%5Czk_backup_0%5Cconfigs&name]=
> conf4&collection.configName=noExist
> Step one:
> I uploaded the malicious zip via the first API. The malicious zip contains a
> normal configuration set and backed up data.
> The key files are as follows:
> /solrconfig.xml --(Normal solrconfig.xml)
> /conf4/zk_backup_0/configs/conf4/solrconfig.xml (malicious solrconfig.xml)
> {quote}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
