FreeBSD : solr -- Code execution via entity expansion (e837390d-0ceb-46b8-9b32-29c1195f5dc7)

High Nessus Plugin ID 103843

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Solr developers report :

Lucene XML parser does not explicitly prohibit doctype declaration and expansion of external entities which leads to arbitrary HTTP requests to the local SOLR instance and to bypass all firewall restrictions.

Solr 'RunExecutableListener' class can be used to execute arbitrary commands on specific events, for example after each update query. The problem is that such listener can be enabled with any parameters just by using Config API with add-listener command.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?58e607db

https://marc.info/?l=apache-announce&m=150786685013286

http://www.nessus.org/u?74838017

Plugin Details

Severity: High

ID: 103843

File Name: freebsd_pkg_e837390d0ceb46b89b3229c1195f5dc7.nasl

Version: 3.9

Type: local

Published: 2017/10/16

Updated: 2019/04/10

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:apache-solr, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2017/10/13

Vulnerability Publication Date: 2017/10/13

Reference Information

CVE: CVE-2017-12629

IAVA: 2017-A-0319