You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by Noble Paul <no...@apache.org> on 2019/04/24 07:04:55 UTC
CVE-2018-11802: Apache Solr authorization bug vulnerability disclosure
CVE-2018-11802: Apache Solr authorization bug disclosure
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: Apache Solr 7.6 or less
Description:
jira ticket : https://issues.apache.org/jira/browse/SOLR-12514
In apache Solr the cluster can be partitioned into multiple
collections and only a subset of nodes actually host any given
collection. However, if a node receives a request for a collection it
does not host, it proxies the request to a relevant node and serves
the request. Solr bypasses all authorization settings for such
requests. This affects all Solr versions that uses the default
authorization mechanism of Solr (RuleBasedAuthorizationPlugin)
Mitigation:
A fix is provided in Solr 7.7 version and upwards. If you use Solr's
authorization mechanism, please upgrade to a version newer than Solr
7.7.
Credit: This issue was discovered by Mahesh Kumar Vasanthu Somashekar.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org
Re: CVE-2018-11802: Apache Solr authorization bug vulnerability disclosure
Posted by Ishan Chattopadhyaya <ic...@gmail.com>.
This fix has also been backported to Solr 6.6.6 for users who are
stuck with Solr 6.x.
(Sorry, I hadn't updated the issue and hence this was missed in the
original mail.)
On Wed, Apr 24, 2019 at 12:35 PM Noble Paul <no...@apache.org> wrote:
>
> CVE-2018-11802: Apache Solr authorization bug disclosure
> Severity: Important
> Vendor: The Apache Software Foundation
> Versions Affected: Apache Solr 7.6 or less
>
> Description:
> jira ticket : https://issues.apache.org/jira/browse/SOLR-12514
> In apache Solr the cluster can be partitioned into multiple
> collections and only a subset of nodes actually host any given
> collection. However, if a node receives a request for a collection it
> does not host, it proxies the request to a relevant node and serves
> the request. Solr bypasses all authorization settings for such
> requests. This affects all Solr versions that uses the default
> authorization mechanism of Solr (RuleBasedAuthorizationPlugin)
>
> Mitigation:
> A fix is provided in Solr 7.7 version and upwards. If you use Solr's
> authorization mechanism, please upgrade to a version newer than Solr
> 7.7.
>
> Credit: This issue was discovered by Mahesh Kumar Vasanthu Somashekar.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: java-user-unsubscribe@lucene.apache.org
> For additional commands, e-mail: java-user-help@lucene.apache.org
>
Re: CVE-2018-11802: Apache Solr authorization bug vulnerability disclosure
Posted by Ishan Chattopadhyaya <ic...@gmail.com>.
This fix has also been backported to Solr 6.6.6 for users who are
stuck with Solr 6.x.
(Sorry, I hadn't updated the issue and hence this was missed in the
original mail.)
On Wed, Apr 24, 2019 at 12:35 PM Noble Paul <no...@apache.org> wrote:
>
> CVE-2018-11802: Apache Solr authorization bug disclosure
> Severity: Important
> Vendor: The Apache Software Foundation
> Versions Affected: Apache Solr 7.6 or less
>
> Description:
> jira ticket : https://issues.apache.org/jira/browse/SOLR-12514
> In apache Solr the cluster can be partitioned into multiple
> collections and only a subset of nodes actually host any given
> collection. However, if a node receives a request for a collection it
> does not host, it proxies the request to a relevant node and serves
> the request. Solr bypasses all authorization settings for such
> requests. This affects all Solr versions that uses the default
> authorization mechanism of Solr (RuleBasedAuthorizationPlugin)
>
> Mitigation:
> A fix is provided in Solr 7.7 version and upwards. If you use Solr's
> authorization mechanism, please upgrade to a version newer than Solr
> 7.7.
>
> Credit: This issue was discovered by Mahesh Kumar Vasanthu Somashekar.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: java-user-unsubscribe@lucene.apache.org
> For additional commands, e-mail: java-user-help@lucene.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org
Re: CVE-2018-11802: Apache Solr authorization bug vulnerability disclosure
Posted by Ishan Chattopadhyaya <ic...@gmail.com>.
This fix has also been backported to Solr 6.6.6 for users who are
stuck with Solr 6.x.
(Sorry, I hadn't updated the issue and hence this was missed in the
original mail.)
On Wed, Apr 24, 2019 at 12:35 PM Noble Paul <no...@apache.org> wrote:
>
> CVE-2018-11802: Apache Solr authorization bug disclosure
> Severity: Important
> Vendor: The Apache Software Foundation
> Versions Affected: Apache Solr 7.6 or less
>
> Description:
> jira ticket : https://issues.apache.org/jira/browse/SOLR-12514
> In apache Solr the cluster can be partitioned into multiple
> collections and only a subset of nodes actually host any given
> collection. However, if a node receives a request for a collection it
> does not host, it proxies the request to a relevant node and serves
> the request. Solr bypasses all authorization settings for such
> requests. This affects all Solr versions that uses the default
> authorization mechanism of Solr (RuleBasedAuthorizationPlugin)
>
> Mitigation:
> A fix is provided in Solr 7.7 version and upwards. If you use Solr's
> authorization mechanism, please upgrade to a version newer than Solr
> 7.7.
>
> Credit: This issue was discovered by Mahesh Kumar Vasanthu Somashekar.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: java-user-unsubscribe@lucene.apache.org
> For additional commands, e-mail: java-user-help@lucene.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-user-help@lucene.apache.org
Fwd: CVE-2018-11802: Apache Solr authorization bug vulnerability
disclosure
Posted by Jan Høydahl <ja...@cominvent.com>.
Forwarding to solr-user list
> Videresendt melding:
>
> Fra: Noble Paul <no...@apache.org>
> Emne: CVE-2018-11802: Apache Solr authorization bug vulnerability disclosure
> Dato: 24. april 2019 kl. 09:04:55 CEST
> Til: Lucene Dev <de...@lucene.apache.org>, java-user@lucene.apache.org, security@apache.org, oss-security@lists.openwall.com
> Svar til: java-user@lucene.apache.org
>
> CVE-2018-11802: Apache Solr authorization bug disclosure
> Severity: Important
> Vendor: The Apache Software Foundation
> Versions Affected: Apache Solr 7.6 or less
>
> Description:
> jira ticket : https://issues.apache.org/jira/browse/SOLR-12514
> In apache Solr the cluster can be partitioned into multiple
> collections and only a subset of nodes actually host any given
> collection. However, if a node receives a request for a collection it
> does not host, it proxies the request to a relevant node and serves
> the request. Solr bypasses all authorization settings for such
> requests. This affects all Solr versions that uses the default
> authorization mechanism of Solr (RuleBasedAuthorizationPlugin)
>
> Mitigation:
> A fix is provided in Solr 7.7 version and upwards. If you use Solr's
> authorization mechanism, please upgrade to a version newer than Solr
> 7.7.
>
> Credit: This issue was discovered by Mahesh Kumar Vasanthu Somashekar.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: java-user-unsubscribe@lucene.apache.org
> For additional commands, e-mail: java-user-help@lucene.apache.org
>