Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CABEwPvGVFWS8gNrc4txih+axEh_zwds_aXYGn+PB8xkcABTWvA@mail.gmail.com>
Date: Mon, 21 Nov 2022 13:12:19 -0500
From: David Smiley <dsmiley@...che.org>
To: security <security@...che.org>, oss-security@...ts.openwall.com, 
	Andreas Hubold <andreas.hubold@...emedia.com>, users@...r.apache.org, dev@...r.apache.org
Subject: Apache Solr is vulnerable to CVE-2022-39135 via /sql handler

Vendor:

  The Apache Software Foundation


Versions Affected:

  Solr 6.5 to 8.11.2

  Solr 9.0


Description:

  Apache Calcite has a vulnerability, CVE-2022-39135, that is exploitable
in Apache Solr in SolrCloud mode.  If an untrusted user can supply SQL
queries to Solr’s “/sql” handler (even indirectly via proxies / other
apps), then the user could perform an XML External Entity (XXE) attack.  This
might have been exposed by some deployers of Solr in order for internal
analysts to use JDBC based tooling, but would have unlikely been granted to
wider audiences.


Impact:

  An XXE attack may lead to the disclosure of confidential data, denial of
service, server side request forgery (SSRF), port scanning from the Solr
node, and other system impacts.


Mitigation:

  Most Solr installations don’t make use of the SQL functionality.  For
such users, the standard Solr security advice of using a firewall should be
adequate.  Nonetheless, the functionality can be disabled.  As of Solr 9,
it has been modularized and thus became opt-in, so nothing is needed for
Solr 9 users that don’t use it.  Users *not* using SolrCloud can’t use the
functionality at all.  For other users that wish to disable it, you must
register a request handler that masks the underlying functionality in
solrconfig.xml like so:

  <requestHandler name="/sql" class="solr.NotFoundRequestHandler"/>


  Users needing this SQL functionality are forced to upgrade to Solr 9.1.
If Solr 8.11.3 is released, then it will be an option as well.  Simply
replacing Calcite and other JAR files may mostly work but could fail
depending on the particulars of the query.  Users interested in this or in
patching their own versions of Solr should examine SOLR-16421 for a source
patch.


Credit:

  Andreas Hubold at CoreMedia GmbH


References:

https://nvd.nist.gov/vuln/detail/CVE-2022-39135

https://issues.apache.org/jira/browse/SOLR-16421

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.