You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@lucene.apache.org by "Uwe Schindler (JIRA)" <ji...@apache.org> on 2017/10/18 12:37:00 UTC

[jira] [Commented] (SOLR-11482) CVE-2017-12629: Remove RunExecutableListener from Solr

    [ https://issues.apache.org/jira/browse/SOLR-11482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16209256#comment-16209256 ] 

Uwe Schindler commented on SOLR-11482:
--------------------------------------

Thanks, +1

> CVE-2017-12629: Remove RunExecutableListener from Solr
> ------------------------------------------------------
>
>                 Key: SOLR-11482
>                 URL: https://issues.apache.org/jira/browse/SOLR-11482
>             Project: Solr
>          Issue Type: Task
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: security, Server
>            Reporter: Uwe Schindler
>            Assignee: Uwe Schindler
>            Priority: Blocker
>             Fix For: 5.5.5, 7.1, 7.2, master (8.0), 6.6.2
>
>         Attachments: SOLR-11482-6.6.patch, SOLR-11482-branch_5_5-restore-logged-warning.patch, SOLR-11482.patch
>
>
> This class should no longer be needed, as replication can be done through Solr Cloud or via ReplicationHandler. The current listener is a security risk, as it can be configured through the Config API. See the report:
> Solr "RunExecutableListener" class can be used to execute arbitrary commands on specific events, for example after each update query. The problem is that such listener can be enabled with any parameters just by using Config API with add-listener command.
> {noformat}
> POST /solr/newcollection/config HTTP/1.1
> Host: localhost:8983
> Connection: close
> Content-Type: application/json  
> Content-Length: 198
> {
>   "add-listener" : {
>     "event":"postCommit",
>     "name":"newlistener",
>     "class":"solr.RunExecutableListener",
>     "exe":"ANYCOMMAND",
>     "dir":"/usr/bin/",
>     "args":["ANYARGS"]
>   }
> }
> {noformat}
> Parameters "exe", "args" and "dir" can be crafted throught the HTTP request during modification of the collection's config. This means that anybody who can send a HTTP request to Solr API is able to execute arbitrary shell commands when "postCommit" event is fired. It leads to execution of arbitrary remote code for a remote attacker.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org