|
Message-ID: <3d12c623-01c5-79be-9809-64a818d67a53@apache.org> Date: Fri, 09 Feb 2024 17:23:52 +0000 From: Houston Putman <houston@...che.org> To: oss-security@...ts.openwall.com Subject: CVE-2023-50291: Apache Solr: System Property redaction logic inconsistency can lead to leaked passwords Severity: moderate Affected versions: - Apache Solr 6.0.0 through 8.11.2 - Apache Solr 9.0.0 before 9.3.0 Description: Insufficiently Protected Credentials vulnerability in Apache Solr. This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0. One of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had "password" contained in the name. There are a number of sensitive system properties, such as "basicauth" and "aws.secretKey" do not contain "password", thus their values were published via the "/admin/info/properties" endpoint. This endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI. This /admin/info/properties endpoint is protected under the "config-read" permission. Therefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the "config-read" permission. Users are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue. A single option now controls hiding Java system property for all endpoints, "-Dsolr.hiddenSysProps". By default all known sensitive properties are hidden (including "-Dbasicauth"), as well as any property with a name containing "secret" or "password". Users who cannot upgrade can also use the following Java system property to fix the issue: '-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*' This issue is being tracked as SOLR-16809 Credit: Michael Taggart (reporter) References: https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies https://solr.apache.org https://www.cve.org/CVERecord?id=CVE-2023-50291 https://issues.apache.org/jira/browse/SOLR-16809
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.