Solr/Lucene -security bypass to access sensitive data - CVE-2017-12629

Public Date: October 13, 2017, 14:50
Updated June 20, 2018, 07:11 - Chinese, Simplified Japanese

Was this information helpful?

Resolved Status
Critical Impact

Red Hat Product Security has been made aware of a vulnerability affecting Apache Solr and Lucene. The vulnerability has been assigned CVE-2017-12629.  This issue was publicly disclosed on Thursday October 12th, 2017 and is rated as Critical.  This flaw, however, relies upon two working parts, and if either of those parts are not exposed, the severity of the flaw is reduced to Moderate. Most Red Hat products do not ship both working parts. 

Background Information

Apache Solr is a popular open source search platform that uses the Apache Lucene search engine. It is used at the enterprise level by many high-volume websites and applications. 

Vulnerability Details

An XML Entity Expansion flaw (XXE) was found in Lucene; this type of flaw typically allows an attacker to bypass security restrictions and access sensitive data. In this particular case the XXE also exposed a Java class that would allow construction of an object with an event listener, which would then permit arbitrary code to be run when the event was triggered. Together, these two factors would result in unauthenticated Remote Code Execution (RCE). Both factors must be present for this to result in Remote Code Execution; either piece without the other results in less severe impact.

The XXE is achieved through a flaw in the XML query parser in Lucene. The flaw permits doctype declaration and special entities in the query XML document. However, products that do not use or expose the XML parsing features to users are not vulnerable.

The RCE is achieved by using Solr's Config API add-listener function to create a RunExecutableListener which can be triggered by a commit event. The listener's embedded command can invoke a URL, call an application, or run a script. While not considered a flaw in itself, the Config API is a feature that should not normally be exposed to unauthorized users, and in this case, makes the potential impact of the XXE much worse. This API is only present in Solr, not Lucene. Products that do not use or expose Solr to users are not vulnerable.

See the Impact tab for affected Red Hat Products.

Impacted Products

Red Hat Product Security has rated this update as having a security impact of Critical.

The following Red Hat product versions are impacted:

  • Red Hat Software Collections for Red Hat Enterprise Linux (rh-java-common-lucene)
  • Red Hat Software Collections for Red Hat Enterprise Linux (rh-java-common-lucene5)
  • Red Hat JBoss Enterprise Application Platform 7 (lucene) **
  • Red Hat JBoss Data Grid 7 (lucene)
  • Red Hat Enterprise Linux 6 (lucene)

** NOTE: EAP 7 is not directly affected, but as the vulnerable class may be used in applications, a patch will be issued in a forthcoming release as a preventative measure.

Take Action

All Red Hat customers running affected versions of Solr and Lucene are strongly recommended to update as soon as patches are available.  Mitigations exist for this vulnerability which provide protection until patches are made available.  

Updates for Affected Products

ProductPackageAdvisory
Red Hat JBoss Data Grid 7    luceneRHSA-2017:3244
Red Hat JBoss Enterprise Application Platform 7    lucene

RHSA-2017:3124

RHSA-2017:3123

RHSA-2018:0002

RHSA-2018:0003

RHSA-2018:0004

RHSA-2018:0005

Red Hat Software Collections for Red Hat Enterprise Linux    

rh-java-common-luceneRHSA-2017:3451
Red Hat Software Collections for Red Hat Enterprise Linux    rh-java-common-lucene5RHSA-2017:3452


Mitigation

Until fixes are available, all Solr users are advised to restart their Solr instances with the system parameter `-Ddisable.configEdit=true`. This will disallow any changes to be made to configurations via the Config API. This is a key factor in this vulnerability, since it allows GET requests to add the RunExecutableListener to the config. This is sufficient to protect from this type of attack, but it means that you cannot use the edit capabilities of the Config API until further fixes are in place.





Comments