Re: [SECURITY] CVE-2018-8026: XXE vulnerability due to Apache Solr configset upload (exchange rate provider config / enum field config / TIKA parsecontext)

[will martin <wmartinusa () gmail com>]

The cve id was reserved in April. The jira ticket 1 mo ago. Is this the
first notice to this list?

Thx

On Wed, Jul 4, 2018, 12:56 PM Uwe Schindler <uschindler () apache org> wrote:

> CVE-2018-8026: XXE vulnerability due to Apache Solr configset upload
> (exchange rate provider config / enum field config / TIKA parsecontext)
>
> Severity: High
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Solr 6.0.0 to 6.6.4
> Solr 7.0.0 to 7.3.1
>
> Description:
> The details of this vulnerability were reported by mail to the Apache
> security mailing list.
> This vulnerability relates to an XML external entity expansion (XXE) in
> Solr
> config files (currency.xml, enumsConfig.xml referred from schema.xml,
> TIKA parsecontext config file). In addition, Xinclude functionality
> provided
> in these config files is also affected in a similar way. The vulnerability
> can
> be used as XXE using file/ftp/http protocols in order to read arbitrary
> local files from the Solr server or the internal network. The manipulated
> files can be uploaded as configsets using Solr's API, allowing to exploit
> that vulnerability. See [1] for more details.
>
> Mitigation:
> Users are advised to upgrade to either Solr 6.6.5 or Solr 7.4.0 releases
> both
> of which address the vulnerability. Once upgrade is complete, no other
> steps
> are required. Those releases only allow external entities and Xincludes
> that
> refer to local files / zookeeper resources below the Solr instance
> directory
> (using Solr's ResourceLoader); usage of absolute URLs is denied. Keep in
> mind, that external entities and XInclude are explicitly supported to
> better
> structure config files in large installations. Before Solr 6 this was no
> problem, as config files were not accessible through the APIs.
>
> If users are unable to upgrade to Solr 6.6.5 or Solr 7.4.0 then they are
> advised to make sure that Solr instances are only used locally without
> access
> to public internet, so the vulnerability cannot be exploited. In addition,
> reverse proxies should be guarded to not allow end users to reach the
> configset APIs. Please refer to [2] on how to correctly secure Solr
> servers.
>
> Solr 5.x and earlier are not affected by this vulnerability; those versions
> do not allow to upload configsets via the API. Nevertheless, users should
> upgrade those versions as soon as possible, because there may be other ways
> to inject config files through file upload functionality of the old web
> interface. Those versions are no longer maintained, so no deep analysis was
> done.
>
> Credit:
> Yuyang Xiao, Ishan Chattopadhyaya
>
> References:
> [1] https://issues.apache.org/jira/browse/SOLR-12450
> [2] https://wiki.apache.org/solr/SolrSecurity
>
> -----
> Uwe Schindler
> uschindler () apache org
> ASF Member, Apache Lucene PMC / Committer
> Bremen, Germany
> http://lucene.apache.org/