[ https://issues.apache.org/jira/browse/SOLR-14025?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Erik Hatcher updated SOLR-14025: -------------------------------- Security: Public (was: Private (Security Issue)) > Velocity response writer RCE vulnerability persists after 8.3.1 > --------------------------------------------------------------- > > Key: SOLR-14025 > URL: https://issues.apache.org/jira/browse/SOLR-14025 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: contrib - Velocity > Affects Versions: 8.3.1 > Reporter: Ishan Chattopadhyaya > Assignee: Erik Hatcher > Priority: Blocker > Fix For: 8.4 > > Attachments: SOLR-14025.patch, SOLR-14025.patch, SOLR-14025.patch, > SOLR-14025.patch, SOLR-14025.patch > > > [~gezapeti] from Cloudera kindly reported this to me: > {code} > Hi Ishan! I’d like to raise (yet an other) issue with SOLR-13971 and the > Velocity templates. I’m working at Cloudera on Solr and have taken the time > to test out whether the fix in 8.3.1 is sufficient to mitigate the issue. The > sad thing is: It’s possible to upload a properties file into ZK and add the > resource loaders in that file. I think we should add yet-an-other option to > make the init-from-property file functionality off by default. > https://github.com/apache/lucene-solr/blob/master/solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java#L73 > this property loads the file here > https://github.com/apache/lucene-solr/blob/master/solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java#L141 > solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java:73 > <https://github.com/apache/lucene-solr|apache/lucene-solr>apache/lucene-solr > | Added by GitHub > solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java:141 > <https://github.com/apache/lucene-solr|apache/lucene-solr>apache/lucene-solr > | Added by GitHub > {code} > Seems like our mitigation wasn't good enough, there's another way to load > resources. > I've requested him to follow procedure here > (https://cwiki.apache.org/confluence/display/solr/SolrSecurity). Meanwhile, I > opened this JIRA anyway. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org