Re: CVE-2017-7525 fix for Solr 7.7.x
Kevin & Colvin Thanks for this details response. Lotfi On Thu, Dec 19, 2019 at 11:59 AM Colvin Cowie wrote: > Sorry, in Solr 8 and master there are some additional users of Jackson. But > they still don't appear to use default typing or unrestricted subtypes. > > > On Thu, 19 Dec 2019 at 16:50, Colvin Cowie > wrote: > > > Hi, > > > > We've got users on Solr 6 (and use Jackson ourselves), so I had a look at > > this CVE and related Jackson exploits, to see whether they are actually > > exploitable in Solr. > > > >- What parts of Solr actually use Jackson (I thought noggit was used > >for the JSON de/serialization)? > >- Do any of the object mappers used enable default typing? (which is > >necessary to exploit CVE-2017-7525 > > > https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/ > >) > >- Is polymorphism used with Jackson without restricting subtypes (e.g. > >@JsonTypeInfo with JsonTypeInfo.Id.CLASS, which allows other exploits > like > >CVE-2017-15095 > > > https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 > >) > > > > Aside from test classes, the only users of Jackson appear to be > > > >- org.apache.solr.analytics.AnalyticsRequestParser > >- org.apache.solr.prometheus.scraper.SolrScraper > > > > From what I can see in the source on master and the 7_7 branch default > > typing isn't ever enabled, and @JsonTypeInfo is restricted to named > > subtypes. > > > > In the 6_6 branch source it seems Jackson is only used in a handful of > > tests. > > Prior to Solr 6.3 (https://issues.apache.org/jira/browse/SOLR-9589) > > > org.apache.solr.client.solrj.response.DelegationTokenResponse.JsonMapResponseParser > > constructed an ObjectMapper without configuration. > > > > So, as far as I can see, the polymorphic deserialization Remote Code > > Execution vulnerabilities on (older versions of) Jackson shouldn't > actually > > be exploitable in Solr 7.7... but I could be wrong, and new > vulnerabilities > > may still be discovered. > > > > Colvin > > > > > > On Wed, 18 Dec 2019 at 18:16, Kevin Risden wrote: > > > >> There are no specific plans for any 7.x branch releases that I'm aware > of. > >> Specifically for SOLR-13110, that required upgrading Hadoop 2.x to 3.x > for > >> specifically jackson-mapper-asl and there are no plans to backport that > to > >> 7.x even if there was a future 7.x release. > >> > >> Kevin Risden > >> > >> > >> On Wed, Dec 18, 2019 at 8:44 AM Mehai, Lotfi > >> wrote: > >> > >> > Hello; > >> > > >> > We are using Solr 7.7.0. The CVE-2017-7525 have been fixed for Solr > 8.x. > >> > https://issues.apache.org/jira/browse/SOLR-13110 > >> > > >> > When the fix will be available for Solr 7.7.x > >> > > >> > Lotfi > >> > > >> > > >
Re: CVE-2017-7525 fix for Solr 7.7.x
Sorry, in Solr 8 and master there are some additional users of Jackson. But they still don't appear to use default typing or unrestricted subtypes. On Thu, 19 Dec 2019 at 16:50, Colvin Cowie wrote: > Hi, > > We've got users on Solr 6 (and use Jackson ourselves), so I had a look at > this CVE and related Jackson exploits, to see whether they are actually > exploitable in Solr. > >- What parts of Solr actually use Jackson (I thought noggit was used >for the JSON de/serialization)? >- Do any of the object mappers used enable default typing? (which is >necessary to exploit CVE-2017-7525 >https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/ >) >- Is polymorphism used with Jackson without restricting subtypes (e.g. >@JsonTypeInfo with JsonTypeInfo.Id.CLASS, which allows other exploits like >CVE-2017-15095 > > https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 >) > > Aside from test classes, the only users of Jackson appear to be > >- org.apache.solr.analytics.AnalyticsRequestParser >- org.apache.solr.prometheus.scraper.SolrScraper > > From what I can see in the source on master and the 7_7 branch default > typing isn't ever enabled, and @JsonTypeInfo is restricted to named > subtypes. > > In the 6_6 branch source it seems Jackson is only used in a handful of > tests. > Prior to Solr 6.3 (https://issues.apache.org/jira/browse/SOLR-9589) > org.apache.solr.client.solrj.response.DelegationTokenResponse.JsonMapResponseParser > constructed an ObjectMapper without configuration. > > So, as far as I can see, the polymorphic deserialization Remote Code > Execution vulnerabilities on (older versions of) Jackson shouldn't actually > be exploitable in Solr 7.7... but I could be wrong, and new vulnerabilities > may still be discovered. > > Colvin > > > On Wed, 18 Dec 2019 at 18:16, Kevin Risden wrote: > >> There are no specific plans for any 7.x branch releases that I'm aware of. >> Specifically for SOLR-13110, that required upgrading Hadoop 2.x to 3.x for >> specifically jackson-mapper-asl and there are no plans to backport that to >> 7.x even if there was a future 7.x release. >> >> Kevin Risden >> >> >> On Wed, Dec 18, 2019 at 8:44 AM Mehai, Lotfi >> wrote: >> >> > Hello; >> > >> > We are using Solr 7.7.0. The CVE-2017-7525 have been fixed for Solr 8.x. >> > https://issues.apache.org/jira/browse/SOLR-13110 >> > >> > When the fix will be available for Solr 7.7.x >> > >> > Lotfi >> > >> >
Re: CVE-2017-7525 fix for Solr 7.7.x
Hi, We've got users on Solr 6 (and use Jackson ourselves), so I had a look at this CVE and related Jackson exploits, to see whether they are actually exploitable in Solr. - What parts of Solr actually use Jackson (I thought noggit was used for the JSON de/serialization)? - Do any of the object mappers used enable default typing? (which is necessary to exploit CVE-2017-7525 https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/ ) - Is polymorphism used with Jackson without restricting subtypes (e.g. @JsonTypeInfo with JsonTypeInfo.Id.CLASS, which allows other exploits like CVE-2017-15095 https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 ) Aside from test classes, the only users of Jackson appear to be - org.apache.solr.analytics.AnalyticsRequestParser - org.apache.solr.prometheus.scraper.SolrScraper >From what I can see in the source on master and the 7_7 branch default typing isn't ever enabled, and @JsonTypeInfo is restricted to named subtypes. In the 6_6 branch source it seems Jackson is only used in a handful of tests. Prior to Solr 6.3 (https://issues.apache.org/jira/browse/SOLR-9589) org.apache.solr.client.solrj.response.DelegationTokenResponse.JsonMapResponseParser constructed an ObjectMapper without configuration. So, as far as I can see, the polymorphic deserialization Remote Code Execution vulnerabilities on (older versions of) Jackson shouldn't actually be exploitable in Solr 7.7... but I could be wrong, and new vulnerabilities may still be discovered. Colvin On Wed, 18 Dec 2019 at 18:16, Kevin Risden wrote: > There are no specific plans for any 7.x branch releases that I'm aware of. > Specifically for SOLR-13110, that required upgrading Hadoop 2.x to 3.x for > specifically jackson-mapper-asl and there are no plans to backport that to > 7.x even if there was a future 7.x release. > > Kevin Risden > > > On Wed, Dec 18, 2019 at 8:44 AM Mehai, Lotfi > wrote: > > > Hello; > > > > We are using Solr 7.7.0. The CVE-2017-7525 have been fixed for Solr 8.x. > > https://issues.apache.org/jira/browse/SOLR-13110 > > > > When the fix will be available for Solr 7.7.x > > > > Lotfi > > >
Re: CVE-2017-7525 fix for Solr 7.7.x
There are no specific plans for any 7.x branch releases that I'm aware of. Specifically for SOLR-13110, that required upgrading Hadoop 2.x to 3.x for specifically jackson-mapper-asl and there are no plans to backport that to 7.x even if there was a future 7.x release. Kevin Risden On Wed, Dec 18, 2019 at 8:44 AM Mehai, Lotfi wrote: > Hello; > > We are using Solr 7.7.0. The CVE-2017-7525 have been fixed for Solr 8.x. > https://issues.apache.org/jira/browse/SOLR-13110 > > When the fix will be available for Solr 7.7.x > > Lotfi >
CVE-2017-7525 fix for Solr 7.7.x
Hello; We are using Solr 7.7.0. The CVE-2017-7525 have been fixed for Solr 8.x. https://issues.apache.org/jira/browse/SOLR-13110 When the fix will be available for Solr 7.7.x Lotfi