Headline

CVE-2019-17558: [SOLR-13971] Velocity custom template RCE vulnerability

Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset velocity/ directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting params.resource.loader.enabled by defining a response writer with that setting set to true. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is trusted (has been uploaded by an authenticated user).

5 years ago

CVE

Open in Source

#vulnerability #web #apache #js #git

Log inSkip to main contentSkip to sidebar

Dashboards
Projects
Issues
Help
- Jira Core help
- Keyboard Shortcuts
- About Jira
- Jira Credits
Log In

Uploaded image for project: 'Solr'

Solr
SOLR-13971

Export

XMLWordPrintableJSON

Details

**Type: ** Bug
Status: Closed
**Priority: ** Blocker
Resolution: Fixed
Affects Version/s: 5.0, 5.5.5, 6.0, 6.6.5, 7.0, 7.7, 8.0, 8.3
Fix Version/s: 7.7.3, 8.4
Component/s: None
Labels:

None

Description

We need to disable this. There is a zero day attack in the wild. 41 stars on this github project:

https://github.com/jas502n/solr_rce
https://gist.github.com/s00py/a1ba36a3689fa13759ff910e179fc133

We need to disable this in a way that cannot be re-enabled using the Config API.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

SOLR-13971.patch

27/Nov/19 07:48

11 kB

Ishan Chattopadhyaya

Issue Links

is related to

Bug - A problem which impairs or prevents the functions of the product. SOLR-14025 CVE-2019-17558: Velocity response writer RCE vulnerability persists after 8.3.1