Re: [CVE-2020-13957] The checks added to unauthenticated configset uploads in Apache Solr can be circumvented
Thanks Bernd, I missed 6.6.6 because it's not marked as a released version in Jira. 6.6.6 is also affected. On Mon, Oct 12, 2020 at 11:47 PM Bernd Fehling < bernd.fehl...@uni-bielefeld.de> wrote: > Good to know that Version 6.6.6 is not affected, so I am safe ;-) > > Regards > Bernd > > Am 12.10.20 um 20:38 schrieb Tomas Fernandez Lobbe: > > Severity: High > > > > Vendor: The Apache Software Foundation > > > > Versions Affected: > > 6.6.0 to 6.6.5 > > 7.0.0 to 7.7.3 > > 8.0.0 to 8.6.2 > > > > Description: > > Solr prevents some features considered dangerous (which could be used for > > remote code execution) to be configured in a ConfigSet that's uploaded > via > > API without authentication/authorization. The checks in place to prevent > > such features can be circumvented by using a combination of UPLOAD/CREATE > > actions. > > > > Mitigation: > > Any of the following are enough to prevent this vulnerability: > > * Disable UPLOAD command in ConfigSets API if not used by setting the > > system property: "configset.upload.enabled" to "false" [1] > > * Use Authentication/Authorization and make sure unknown requests aren't > > allowed [2] > > * Upgrade to Solr 8.6.3 or greater. > > * If upgrading is not an option, consider applying the patch in > SOLR-14663 > > ([3]) > > * No Solr API, including the Admin UI, is designed to be exposed to > > non-trusted parties. Tune your firewall so that only trusted computers > and > > people are allowed access > > > > Credit: > > Tomás Fernández Löbbe, András Salamon > > > > References: > > [1] https://lucene.apache.org/solr/guide/8_6/configsets-api.html > > [2] > > > https://lucene.apache.org/solr/guide/8_6/authentication-and-authorization-plugins.html > > [3] https://issues.apache.org/jira/browse/SOLR-14663 > > [4] https://issues.apache.org/jira/browse/SOLR-14925 > > [5] https://wiki.apache.org/solr/SolrSecurity > > >
Re: [CVE-2020-13957] The checks added to unauthenticated configset uploads in Apache Solr can be circumvented
Good to know that Version 6.6.6 is not affected, so I am safe ;-) Regards Bernd Am 12.10.20 um 20:38 schrieb Tomas Fernandez Lobbe: > Severity: High > > Vendor: The Apache Software Foundation > > Versions Affected: > 6.6.0 to 6.6.5 > 7.0.0 to 7.7.3 > 8.0.0 to 8.6.2 > > Description: > Solr prevents some features considered dangerous (which could be used for > remote code execution) to be configured in a ConfigSet that's uploaded via > API without authentication/authorization. The checks in place to prevent > such features can be circumvented by using a combination of UPLOAD/CREATE > actions. > > Mitigation: > Any of the following are enough to prevent this vulnerability: > * Disable UPLOAD command in ConfigSets API if not used by setting the > system property: "configset.upload.enabled" to "false" [1] > * Use Authentication/Authorization and make sure unknown requests aren't > allowed [2] > * Upgrade to Solr 8.6.3 or greater. > * If upgrading is not an option, consider applying the patch in SOLR-14663 > ([3]) > * No Solr API, including the Admin UI, is designed to be exposed to > non-trusted parties. Tune your firewall so that only trusted computers and > people are allowed access > > Credit: > Tomás Fernández Löbbe, András Salamon > > References: > [1] https://lucene.apache.org/solr/guide/8_6/configsets-api.html > [2] > https://lucene.apache.org/solr/guide/8_6/authentication-and-authorization-plugins.html > [3] https://issues.apache.org/jira/browse/SOLR-14663 > [4] https://issues.apache.org/jira/browse/SOLR-14925 > [5] https://wiki.apache.org/solr/SolrSecurity >
[CVE-2020-13957] The checks added to unauthenticated configset uploads in Apache Solr can be circumvented
Severity: High Vendor: The Apache Software Foundation Versions Affected: 6.6.0 to 6.6.5 7.0.0 to 7.7.3 8.0.0 to 8.6.2 Description: Solr prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions. Mitigation: Any of the following are enough to prevent this vulnerability: * Disable UPLOAD command in ConfigSets API if not used by setting the system property: "configset.upload.enabled" to "false" [1] * Use Authentication/Authorization and make sure unknown requests aren't allowed [2] * Upgrade to Solr 8.6.3 or greater. * If upgrading is not an option, consider applying the patch in SOLR-14663 ([3]) * No Solr API, including the Admin UI, is designed to be exposed to non-trusted parties. Tune your firewall so that only trusted computers and people are allowed access Credit: Tomás Fernández Löbbe, András Salamon References: [1] https://lucene.apache.org/solr/guide/8_6/configsets-api.html [2] https://lucene.apache.org/solr/guide/8_6/authentication-and-authorization-plugins.html [3] https://issues.apache.org/jira/browse/SOLR-14663 [4] https://issues.apache.org/jira/browse/SOLR-14925 [5] https://wiki.apache.org/solr/SolrSecurity