Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Vulnerabilities in Apache Solr < 4.6.0
From: Nicolas Grégoire <nicolas.gregoire () agarri fr>
Date: Mon, 09 Dec 2013 11:34:11 +0100

Hello,

Apache Solr is search platform edited by the Apache project. Quoting
http://lucene.apache.org/solr/:"its major features include powerful
full-text search, hit highlighting, faceted search, near real-time
indexing, dynamic clustering, database integration, rich document (e.g.,
Word, PDF) handling, and geospatial search".

Several vulnerabilities were fixed in recent versions of Solr:
- directory traversal when using XSLT or Velocity templates
(CVE-2013-6397 / SOLR-4882)
- XXE in UpdateRequestHandler (CVE-2013-6407 / SOLR-3895)
- XXE in DocumentAnalysisRequestHandler (CVE-2013-6408 / SOLR-4881)

These vulnerabilities were confirmed to be exploitable also on old
versions like 3.6.2. Gaining remote code execution is easy by combining
the directory traversal and XXE vulnerabilities.

If you wonder how these vulnerabilities could be exploited in real life
setups when Solr isn't reachable directly from the Internet, you may be
interested in the following blog post:
http://www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html

Cheers,
Nicolas Grégoire

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Vulnerabilities in Apache Solr < 4.6.0 Nicolas Grégoire (Dec 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]