FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

solr -- Code execution via entity expansion

Affected packages
5.1 <= apache-solr <= 6.6.1
7.0.0 <= apache-solr < 7.1

Details

VuXML ID e837390d-0ceb-46b8-9b32-29c1195f5dc7
Discovery 2017-10-13
Entry 2017-10-13
Modified 2017-10-16

Solr developers report:

Lucene XML parser does not explicitly prohibit doctype declaration and expansion of external entities which leads to arbitrary HTTP requests to the local SOLR instance and to bypass all firewall restrictions.

Solr "RunExecutableListener" class can be used to execute arbitrary commands on specific events, for example after each update query. The problem is that such listener can be enabled with any parameters just by using Config API with add-listener command.

References

CVE Name CVE-2017-12629
URL http://lucene.472066.n3.nabble.com/Re-Several-critical-vulnerabilities-discovered-in-Apache-Solr-XXE-amp-RCE-td4358308.html
URL https://marc.info/?l=apache-announce&m=150786685013286