On 3/15/2018 6:40 AM, padmanabhan1616 wrote:
Hi Team,We are using Apache SOLR-5.2.1 as index engine for our data analytics
application. As part of this SOLR uses commons-fileupload-1.2.1.jar for file
manipulation.There is security Vulnerability identified in
commons-fileupload library: *CVE-2016-1000031 Apache Commons FileUpload:
DiskFileItem file manipulation*As per official notice from apache software
foundations this issue has been addressed in commons-fileupload-1.3.3.jar
and available for all the dependency vendors.*Is this good toupgrade
commons-fileupload from 1.2.1 to 1.3.3 version directly?*
Solr previously addressed two other vulnerabilites in
commons-fileupload, both of them after the version you're running.
https://issues.apache.org/jira/browse/SOLR-9819
https://issues.apache.org/jira/browse/SOLR-9053
One of these fixes just did a jar upgrade, but the other also included
code changes. So it looks like just replacing the jar with 1.3.3 MIGHT
cause problems. The commons-fileupload dependency is only used in one
place in Solr -- the multipart request parser. I cannot tell what
actually uses this functionality, though. I suspect that whatever it is
is not something really common.
Looking at the way that Solr uses DiskFileItem and related classes, I
don't see any evidence that it actually uses serialization or
deserialization, so I don't think Solr is vulnerable to the problem
fixed in 1.3.3, but there are two other vulnerabilities that the version
you're running has. I haven't assessed whether Solr is vulnerable to
either of those problems.
FYI: If only trusted admins and applications can reach the Solr server,
then any remote vulnerability Solr has cannot be exploited unless
somebody first breaches the security on something else that DOES have
access to Solr. If they manage to do that, they probably have access
that's far more damaging than access to Solr would be.
Thanks,
Shawn
