[jira] [Commented] (SOLR-13669) [CVE-2019-0193] Remote Code Execution via DataImportHandler

Tue, 18 Feb 2020 09:25:19 -0800 


    [ 
https://issues.apache.org/jira/browse/SOLR-13669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17039262#comment-17039262
 ] 

ASF subversion and git services commented on SOLR-13669:
--------------------------------------------------------

Commit 224c038f9b9a40517ff5378971d3c8aac7c4aafa in lucene-solr's branch 
refs/heads/branch_7_7 from Houston Putman
[ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=224c038 ]

SOLR-13669: DIH: Add System property toggle for use of dataConfig param (#1260)

(cherry picked from commit 325824cd391c8e71f36f17d687f52344e50e9715)

Addresses CVE-2019-0193, backported from Solr 8.1.2

> [CVE-2019-0193] Remote Code Execution via DataImportHandler
> -----------------------------------------------------------
>
>                 Key: SOLR-13669
>                 URL: https://issues.apache.org/jira/browse/SOLR-13669
>             Project: Solr
>          Issue Type: Bug
>          Components: contrib - DataImportHandler
>            Reporter: Michael Stepankin
>            Assignee: David Smiley
>            Priority: Major
>             Fix For: 7.7.3, 8.1.2, 8.2.0
>
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> The DataImportHandler, an optional but popular module to pull in data from 
> databases and other sources, has a feature in which the whole DIH 
> configuration can come from a request's "dataConfig" parameter. The debug 
> mode of the DIH admin screen uses this to allow convenient debugging / 
> development of a DIH config. Since a DIH config can contain scripts, this 
> parameter is a security risk. Starting with version 8.2.0 of Solr, use of 
> this parameter requires setting the Java System property 
> "enable.dih.dataConfigParam" to true.
> Mitigations:
> * Upgrade to 8.2.0 or later, which is secure by default.
> * or, edit solrconfig.xml to configure all DataImportHandler usages with an 
> "invariants" section listing the "dataConfig" parameter set to am empty 
> string.  
> * Ensure your network settings are configured so that only trusted traffic 
> communicates with Solr, especially to the DIH request handler.  This is a 
> best practice to all of Solr.
> Credits:
> * Michael Stepankin
> References:
> * https://issues.apache.org/jira/browse/SOLR-13669
> * https://cwiki.apache.org/confluence/display/solr/SolrSecurity



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

Reply via email to