Mailing List Archive: [ANNOUNCE] [SECURITY] CVE-2017-7660: Security Vulnerability in secure inter-node communication in Apache Solr

CVE-2017-7660: Security Vulnerability in secure inter-node
communication in Apache Solr

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Solr 5.3 to 5.5.4
Solr 6.0 to 6.5.1

Description:

Solr uses a PKI based mechanism to secure inter-node communication
when security is enabled. It is possible to create a specially crafted
node name that does not exist as part of the cluster and point it to a
malicious node. This can trick the nodes in cluster to believe that
the malicious node is a member of the cluster. So, if Solr users have
enabled BasicAuth authentication mechanism using the BasicAuthPlugin
or if the user has implemented a custom Authentication plugin, which
does not implement either "HttpClientInterceptorPlugin" or
"HttpClientBuilderPlugin", his/her servers are vulnerable to this
attack. Users who only use SSL without basic authentication or those
who use Kerberos are not affected.

Mitigation:
6.x users should upgrade to 6.6
5.x users should obtain the latest source from git and apply this patch:
http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/2f5ecbcf

Credit:
This issue was discovered by Noble Paul of Lucidworks Inc.

References:
https://issues.apache.org/jira/browse/SOLR-10624
https://wiki.apache.org/solr/SolrSecurity

--
The Lucene PMC

Hey all, Commvault is looking for GlusterFS developers, this role is going to be very crucial and working closely with CTO. If anyone interested... please mail me.

Regards,
Ramesh K

> On 07-Jul-2017, at 7:14 PM, Shalin Shekhar Mangar <shalin@apache.org> wrote:
>
> CVE-2017-7660: Security Vulnerability in secure inter-node
> communication in Apache Solr
>
> Severity: Important
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Solr 5.3 to 5.5.4
> Solr 6.0 to 6.5.1
>
> Description:
>
> Solr uses a PKI based mechanism to secure inter-node communication
> when security is enabled. It is possible to create a specially crafted
> node name that does not exist as part of the cluster and point it to a
> malicious node. This can trick the nodes in cluster to believe that
> the malicious node is a member of the cluster. So, if Solr users have
> enabled BasicAuth authentication mechanism using the BasicAuthPlugin
> or if the user has implemented a custom Authentication plugin, which
> does not implement either "HttpClientInterceptorPlugin" or
> "HttpClientBuilderPlugin", his/her servers are vulnerable to this
> attack. Users who only use SSL without basic authentication or those
> who use Kerberos are not affected.
>
> Mitigation:
> 6.x users should upgrade to 6.6
> 5.x users should obtain the latest source from git and apply this patch:
> http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/2f5ecbcf
>
> Credit:
> This issue was discovered by Noble Paul of Lucidworks Inc.
>
> References:
> https://issues.apache.org/jira/browse/SOLR-10624
> https://wiki.apache.org/solr/SolrSecurity
>
> --
> The Lucene PMC
***************************Legal Disclaimer***************************
"This communication may contain confidential and privileged material for the
sole use of the intended recipient. Any unauthorized review, use or distribution
by others is strictly prohibited. If you have received the message by mistake,
please advise the sender by reply email and delete the message. Thank you."
**********************************************************************