CVE-2017-12629

Impact:
Critical
Public Date:
2017-10-12
CWE:
CWE-138
Bugzilla:
1501529: CVE-2017-12629 Solr: Code execution via entity expansion
It was found that Apache Lucene would accept an object from an unauthenticated user that could be manipulated through subsequent post requests. An attacker could use this flaw to assemble an object that could permit execution of arbitrary code if the server enabled Apache Solr's Config API.

Find out more about CVE-2017-12629 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

The following products are not affected by this flaw, as they do not use the vulnerable functionality of either aspect of the issue.
Red Hat JBoss Enterprise Application Platform 6
Red Hat JBoss BPM Suite
Red Hat JBoss BRMS
Red Hat Enterprise Virtualization Manager
Red Hat Single Sign-On 7
Red Hat JBoss Portal Platform 6

Red Hat JBoss Enterprise Application Platform 7 is not affected by this flaw. However, it does ship the vulnerable Lucene class in a dependency to another component. Customers who reuse the lucene-queryparser jar in their applications may be vulnerable to the External Entity Expansion aspect of this flaw. This will be patched in a forthcoming release.

Red Hat JBoss Fuse is not affected by this flaw, as it does not use the vulnerable functionality of either aspect of this flaw. Fuse customers who may be running external Solr servers, while not affected from the Fuse side, are advised to secure their Solr servers as recommended in the mitigation provided.

The following products ship only the Lucene components relevant to this flaw, and are not vulnerable to the second portion of the vulnerability, the code execution exploit. As such, the impact of this flaw has been determined to be Moderate for these respective products:
Red Hat JBoss Data Grid 7
Red Hat Enterprise Linux 6
Red Hat Software Collections 2.4

This issue did not affect the versions of lucene as shipped with Red Hat Enterprise Linux 5.

CVSS v2 metrics

Base Score 10
Base Metrics AV:N/AC:L/Au:N/C:C/I:C/A:C
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete

CVSS v3 metrics

CVSS3 Base Score 9.8
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-lucene-solr) RHSA-2017:3123 2017-11-06
Red Hat JBoss Data Grid 7.1 RHSA-2017:3244 2017-11-16
Red Hat JBoss EAP 7 RHSA-2017:3124 2017-11-06
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-lucene-solr) RHSA-2017:3123 2017-11-06

Affected Packages State

Platform Package State
Red Hat Software Collections for Red Hat Enterprise Linux rh-java-common-lucene Affected
Red Hat Software Collections for Red Hat Enterprise Linux rh-java-common-lucene5 Affected
Red Hat Single Sign-On 7 lucene Not affected
Red Hat JBoss Portal Platform 6 solr Not affected
Red Hat JBoss Fuse 6 Camel Not affected
Red Hat JBoss EAP 6 lucene Not affected
Red Hat JBoss EAP 6 solr Not affected
Red Hat JBoss BRMS 6 lucene Not affected
Red Hat JBoss BPMS 6 lucene Not affected
Red Hat Enterprise Linux 6 lucene Will not fix
Red Hat Enterprise Linux 5 lucene Not affected
RHEV-M 4.0 lucene Not affected

Mitigation

Until fixes are available, all Solr users are advised to restart their Solr instances with the system parameter `-Ddisable.configEdit=true`. This will disallow any changes to be made to configurations via the Config API. This is a key factor in this vulnerability, since it allows GET requests to add the RunExecutableListener to the config. This is sufficient to protect from this type of attack, but means you cannot use the edit capabilities of the Config API until further fixes are in place.

External References

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.