CVE-2017-12629

EUVD-2018-0640

14.10.2017, 23:29

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 99%

Affected Products (NVD)

Vendor	Product	Version
apache	solr	5.5.0 ≤ 𝑥 ≤ 5.5.4
apache	solr	6.0.0 ≤ 𝑥 ≤ 6.6.1
apache	solr	7.0.0 ≤ 𝑥 ≤ 7.0.1
redhat	jboss_enterprise_application_platform	7.0.0
redhat	jboss_enterprise_application_platform	7.1.0
debian	debian_linux	7.0
debian	debian_linux	8.0
debian	debian_linux	9.0
canonical	ubuntu_linux	16.04

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

lucene-solr

bookworm	3.6.2+dfsg-26 fixed
bullseye	3.6.2+dfsg-24 fixed
sid	3.6.2+dfsg-26 fixed
trixie	3.6.2+dfsg-26 fixed

Ubuntu Releases

Ubuntu Product

Codename

lucene-solr

artful	Fixed 3.6.2+dfsg-10+deb9u1build0.17.10.1 released
bionic	not-affected
cosmic	not-affected
disco	not-affected
eoan	not-affected
trusty	Fixed 3.6.2+dfsg-2ubuntu0.1~esm1 released
xenial	Fixed 3.6.2+dfsg-8ubuntu0.1 released
zesty	ignored

Known Exploits!

Common Weakness Enumeration

CWE-611 - Improper Restriction of XML External Entity Reference
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References

http://mail-archives.us.apache.org/mod_mbox/www-announce/201710.mbox/%3CCAOOKt51UO_6Vy%3Dj8W%3Dx1pMbLW9VJfZyFWz7pAnXJC_OAdSZubA%40mail.gmail.com%3E

http://openwall.com/lists/oss-security/2017/10/13/1

http://www.securityfocus.com/bid/101261

https://access.redhat.com/errata/RHSA-2017:3123

https://access.redhat.com/errata/RHSA-2017:3124

https://access.redhat.com/errata/RHSA-2017:3244

https://access.redhat.com/errata/RHSA-2017:3451

https://access.redhat.com/errata/RHSA-2017:3452

https://access.redhat.com/errata/RHSA-2018:0002

https://access.redhat.com/errata/RHSA-2018:0003

https://access.redhat.com/errata/RHSA-2018:0004

https://access.redhat.com/errata/RHSA-2018:0005

https://lists.apache.org/thread.html/r140128dc6bb4f4e0b6a39e962c7ca25a8cbc8e48ed766176c931fccc%40%3Cusers.solr.apache.org%3E

https://lists.apache.org/thread.html/r26c996b068ef6c5e89aa59acb769025cfd343a08e63fbe9e7f3f720f%40%3Coak-issues.jackrabbit.apache.org%3E

https://lists.apache.org/thread.html/r3da74965aba2b5f5744b7289ad447306eeb2940c872801819faa9314%40%3Cusers.solr.apache.org%3E

https://lists.apache.org/thread.html/r95df34bb158375948da82b4dfe9a1b5d528572d586584162f8f5aeef%40%3Cusers.solr.apache.org%3E

https://lists.debian.org/debian-lts-announce/2018/01/msg00028.html

https://s.apache.org/FJDl

https://twitter.com/ApacheSolr/status/918731485611401216

https://twitter.com/joshbressers/status/919258716297420802

https://twitter.com/searchtools_avi/status/918904813613543424

https://usn.ubuntu.com/4259-1/

https://www.debian.org/security/2018/dsa-4124

https://www.exploit-db.com/exploits/43009/

http://mail-archives.us.apache.org/mod_mbox/www-announce/201710.mbox/%3CCAOOKt51UO_6Vy%3Dj8W%3Dx1pMbLW9VJfZyFWz7pAnXJC_OAdSZubA%40mail.gmail.com%3E

http://openwall.com/lists/oss-security/2017/10/13/1

http://www.securityfocus.com/bid/101261

https://access.redhat.com/errata/RHSA-2017:3123

https://access.redhat.com/errata/RHSA-2017:3124

https://access.redhat.com/errata/RHSA-2017:3244

https://access.redhat.com/errata/RHSA-2017:3451

https://access.redhat.com/errata/RHSA-2017:3452

https://access.redhat.com/errata/RHSA-2018:0002

https://access.redhat.com/errata/RHSA-2018:0003

https://access.redhat.com/errata/RHSA-2018:0004

https://access.redhat.com/errata/RHSA-2018:0005

https://lists.apache.org/thread.html/r140128dc6bb4f4e0b6a39e962c7ca25a8cbc8e48ed766176c931fccc%40%3Cusers.solr.apache.org%3E

https://lists.apache.org/thread.html/r26c996b068ef6c5e89aa59acb769025cfd343a08e63fbe9e7f3f720f%40%3Coak-issues.jackrabbit.apache.org%3E

https://lists.apache.org/thread.html/r3da74965aba2b5f5744b7289ad447306eeb2940c872801819faa9314%40%3Cusers.solr.apache.org%3E

https://lists.apache.org/thread.html/r95df34bb158375948da82b4dfe9a1b5d528572d586584162f8f5aeef%40%3Cusers.solr.apache.org%3E

https://lists.debian.org/debian-lts-announce/2018/01/msg00028.html

https://s.apache.org/FJDl

https://twitter.com/ApacheSolr/status/918731485611401216

https://twitter.com/joshbressers/status/919258716297420802

https://twitter.com/searchtools_avi/status/918904813613543424

https://usn.ubuntu.com/4259-1/

https://www.debian.org/security/2018/dsa-4124

https://www.exploit-db.com/exploits/43009/