[jira] [Updated] (SOLR-14025) Velocity response writer RCE vulnerability persists after 8.3.1

Mon, 30 Dec 2019 04:59:54 -0800 


     [ 
https://issues.apache.org/jira/browse/SOLR-14025?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Erik Hatcher updated SOLR-14025:
--------------------------------
    Security: Public  (was: Private (Security Issue))

> Velocity response writer RCE vulnerability persists after 8.3.1
> ---------------------------------------------------------------
>
>                 Key: SOLR-14025
>                 URL: https://issues.apache.org/jira/browse/SOLR-14025
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: contrib - Velocity
>    Affects Versions: 8.3.1
>            Reporter: Ishan Chattopadhyaya
>            Assignee: Erik Hatcher
>            Priority: Blocker
>             Fix For: 8.4
>
>         Attachments: SOLR-14025.patch, SOLR-14025.patch, SOLR-14025.patch, 
> SOLR-14025.patch, SOLR-14025.patch
>
>
> [~gezapeti] from Cloudera kindly reported this to me:
> {code}
> Hi Ishan! I’d like to raise (yet an other) issue with SOLR-13971 and the 
> Velocity templates. I’m working at Cloudera on Solr and have taken the time 
> to test out whether the fix in 8.3.1 is sufficient to mitigate the issue. The 
> sad thing is: It’s possible to upload a properties file into ZK and add the 
> resource loaders in that file. I think we should add yet-an-other option to 
> make the init-from-property file functionality off by default.
> https://github.com/apache/lucene-solr/blob/master/solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java#L73
>  this property loads the file here 
> https://github.com/apache/lucene-solr/blob/master/solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java#L141
> solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java:73
> <https://github.com/apache/lucene-solr|apache/lucene-solr>apache/lucene-solr 
> | Added by GitHub
> solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java:141
> <https://github.com/apache/lucene-solr|apache/lucene-solr>apache/lucene-solr 
> | Added by GitHub
> {code}
> Seems like our mitigation wasn't good enough, there's another way to load 
> resources.
> I've requested him to follow procedure here 
> (https://cwiki.apache.org/confluence/display/solr/SolrSecurity). Meanwhile, I 
> opened this JIRA anyway.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

Reply via email to