FreeBSD : solr -- Code execution via entity expansion (e837390d-0ceb-46b8-9b32-29c1195f5dc7)

critical Nessus Plugin ID 103843

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Solr developers report :

Lucene XML parser does not explicitly prohibit doctype declaration and expansion of external entities which leads to arbitrary HTTP requests to the local SOLR instance and to bypass all firewall restrictions.

Solr 'RunExecutableListener' class can be used to execute arbitrary commands on specific events, for example after each update query. The problem is that such listener can be enabled with any parameters just by using Config API with add-listener command.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?58e607db

https://marc.info/?l=apache-announce&m=150786685013286

http://www.nessus.org/u?74838017

Plugin Details

Severity: Critical

ID: 103843

File Name: freebsd_pkg_e837390d0ceb46b89b3229c1195f5dc7.nasl

Version: 3.10

Type: local

Published: 10/16/2017

Updated: 1/4/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:apache-solr, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/13/2017

Vulnerability Publication Date: 10/13/2017

Reference Information

CVE: CVE-2017-12629

IAVA: 2017-A-0319