| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 09 Dec 2013 11:34:11 +0100 From: Nicolas Grégoire <nicolas.gregoire@...rri.fr> To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk Subject: Vulnerabilities in Apache Solr < 4.6.0 Hello, Apache Solr is search platform edited by the Apache project. Quoting http://lucene.apache.org/solr/:"its major features include powerful full-text search, hit highlighting, faceted search, near real-time indexing, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search". Several vulnerabilities were fixed in recent versions of Solr: - directory traversal when using XSLT or Velocity templates (CVE-2013-6397 / SOLR-4882) - XXE in UpdateRequestHandler (CVE-2013-6407 / SOLR-3895) - XXE in DocumentAnalysisRequestHandler (CVE-2013-6408 / SOLR-4881) These vulnerabilities were confirmed to be exploitable also on old versions like 3.6.2. Gaining remote code execution is easy by combining the directory traversal and XXE vulnerabilities. If you wonder how these vulnerabilities could be exploited in real life setups when Solr isn't reachable directly from the Internet, you may be interested in the following blog post: http://www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html Cheers, Nicolas Grégoire _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists