You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by tf...@apache.org on 2020/10/30 04:50:19 UTC
[lucene-site] 02/02: Add CVE-2020-13957 page (#31)
This is an automated email from the ASF dual-hosted git repository.
tflobbe pushed a commit to branch production
in repository https://gitbox.apache.org/repos/asf/lucene-site.git
commit 96d80ec4a6bc4bb41535f446fff1f9d91cd1aa7d
Author: Tomas Fernandez Lobbe <tf...@apache.org>
AuthorDate: Thu Oct 29 21:38:51 2020 -0700
Add CVE-2020-13957 page (#31)
---
content/solr/security/2020-10-12-cve-2020-13957.md | 29 ++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/content/solr/security/2020-10-12-cve-2020-13957.md b/content/solr/security/2020-10-12-cve-2020-13957.md
new file mode 100644
index 0000000..dd33a94
--- /dev/null
+++ b/content/solr/security/2020-10-12-cve-2020-13957.md
@@ -0,0 +1,29 @@
+Title: CVE-2020-13957: The checks added to unauthenticated configset uploads in Apache Solr can be circumvented
+category: solr/security
+cve: CVE-2020-13957
+
+**Severity:**
+High
+
+**Versions Affected:**
+6.6.0 to 6.6.6
+7.0.0 to 7.7.3
+8.0.0 to 8.6.2
+
+**Description:**
+Solr prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.
+
+**Mitigation:**
+Any of the following are enough to prevent this vulnerability:
+
+* Disable UPLOAD command in ConfigSets API if not used by setting the system property: `configset.upload.enabled` to `false` ([see docs](https://lucene.apache.org/solr/guide/8_6/configsets-api.html))
+* Use Authentication/Authorization and make sure unknown requests aren't allowed ([see docs](https://lucene.apache.org/solr/guide/8_6/authentication-and-authorization-plugins.html))
+* Upgrade to `Solr 8.6.3` or greater.
+* If upgrading is not an option, consider applying the patch in [SOLR-14663](https://issues.apache.org/jira/browse/SOLR-14663)
+* No Solr API, including the Admin UI, is designed to be exposed to non-trusted parties. Tune your firewall so that only trusted computers and people are allowed access
+
+**Credit:**
+Tomás Fernández Löbbe, András Salamon
+
+**References:**
+[SOLR-14925](https://issues.apache.org/jira/browse/SOLR-14925): CVE-2020-13957: The checks added to unauthenticated configset uploads can be circumvented