You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@lucene.apache.org by "Houston Putman (Jira)" <ji...@apache.org> on 2020/02/19 20:16:00 UTC

[jira] [Updated] (SOLR-14025) CVE-2019-17558: Velocity response writer RCE vulnerability persists after 8.3.1

     [ https://issues.apache.org/jira/browse/SOLR-14025?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Houston Putman updated SOLR-14025:
----------------------------------
    Fix Version/s: 7.7.3

> CVE-2019-17558: Velocity response writer RCE vulnerability persists after 8.3.1
> -------------------------------------------------------------------------------
>
>                 Key: SOLR-14025
>                 URL: https://issues.apache.org/jira/browse/SOLR-14025
>             Project: Solr
>          Issue Type: Bug
>          Components: contrib - Velocity
>    Affects Versions: 8.3.1
>            Reporter: Ishan Chattopadhyaya
>            Assignee: Erik Hatcher
>            Priority: Blocker
>             Fix For: 7.7.3, 8.4
>
>         Attachments: SOLR-14025.patch, SOLR-14025.patch, SOLR-14025.patch, SOLR-14025.patch, SOLR-14025.patch
>
>
> [~gezapeti] from Cloudera kindly reported this to me:
> {code}
> Hi Ishan! I’d like to raise (yet an other) issue with SOLR-13971 and the Velocity templates. I’m working at Cloudera on Solr and have taken the time to test out whether the fix in 8.3.1 is sufficient to mitigate the issue. The sad thing is: It’s possible to upload a properties file into ZK and add the resource loaders in that file. I think we should add yet-an-other option to make the init-from-property file functionality off by default.
> https://github.com/apache/lucene-solr/blob/master/solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java#L73 this property loads the file here https://github.com/apache/lucene-solr/blob/master/solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java#L141
> solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java:73
> <https://github.com/apache/lucene-solr|apache/lucene-solr>apache/lucene-solr | Added by GitHub
> solr/contrib/velocity/src/java/org/apache/solr/response/VelocityResponseWriter.java:141
> <https://github.com/apache/lucene-solr|apache/lucene-solr>apache/lucene-solr | Added by GitHub
> {code}
> Seems like our mitigation wasn't good enough, there's another way to load resources.
> I've requested him to follow procedure here (https://cwiki.apache.org/confluence/display/solr/SolrSecurity). Meanwhile, I opened this JIRA anyway.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org