Vulnerabilities > CVE-2013-6407 - XML External Entity Injection vulnerability in Apache Solr

CVSS 6.4 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

PARTIAL

network

low complexity

apache

nessus

NVD

Published: 2013-12-07

Updated: 2014-07-17

Summary

The UpdateRequestHandler for XML in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. Per: http://secunia.com/advisories/55542 "A vulnerability has been reported in Apache Solr, which can be exploited by malicious people to disclose certain sensitive information or cause a DoS (Denial of Service)........The vulnerability is reported in version 3.6.1. Other versions may also be affected."

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Solr 3.6.0 Apache Solr 3.6.1 Apache Solr 3.6.2 Apache Solr 1.1.0 Apache Solr 1.2 Apache Solr 1.2.0 Apache Solr 1.3.0 Apache Solr 1.4.0 Apache Solr 1.4.1 Apache Solr 3.1 Apache Solr 3.1.0 Apache Solr 3.2 Apache Solr 3.2.0 Apache Solr 3.3 Apache Solr 3.3.0 Apache Solr 3.4.0 Apache Solr 3.5.0 Apache Solr 4.0.0	21

Nessus

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-2963.NASL
description	Multiple vulnerabilities were found in Solr, an open source enterprise search server based on Lucene, resulting in information disclosure or code execution.
last seen	2020-03-17
modified	2014-06-18
plugin id	76091
published	2014-06-18
reporter	This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/76091
title	Debian DSA-2963-1 : lucene-solr - security update
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-2963. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(76091); script_version("1.7"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2013-6397", "CVE-2013-6407", "CVE-2013-6408"); script_bugtraq_id(63935, 64008, 64009); script_xref(name:"DSA", value:"2963"); script_name(english:"Debian DSA-2963-1 : lucene-solr - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Multiple vulnerabilities were found in Solr, an open source enterprise search server based on Lucene, resulting in information disclosure or code execution." ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/lucene-solr" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2014/dsa-2963" ); script_set_attribute( attribute:"solution", value: "Upgrade the lucene-solr packages. For the stable distribution (wheezy), these problems have been fixed in version 3.6.0+dfsg-1+deb7u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:lucene-solr"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2014/06/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"liblucene3-contrib-java", reference:"3.6.0+dfsg-1+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"liblucene3-java", reference:"3.6.0+dfsg-1+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"liblucene3-java-doc", reference:"3.6.0+dfsg-1+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libsolr-java", reference:"3.6.0+dfsg-1+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"solr-common", reference:"3.6.0+dfsg-1+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"solr-jetty", reference:"3.6.0+dfsg-1+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"solr-tomcat", reference:"3.6.0+dfsg-1+deb7u1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	CGI abuses
NASL id	SOLR_4_3_1.NASL
description	The version of Apache Solr running on the remote web server is affected by an XML external entity injection vulnerability due to an incorrectly configured XML parser in the
last seen	2020-06-01
modified	2020-06-02
plugin id	71845
published	2014-01-07
reporter	This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/71845
title	Apache Solr < 4.3.1 XML External Entity Injection
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(71845); script_version("1.4"); script_cvs_date("Date: 2018/07/30 15:31:31"); script_cve_id("CVE-2013-6408"); script_bugtraq_id(64009); script_name(english:"Apache Solr < 4.3.1 XML External Entity Injection"); script_summary(english:"Checks version of Solr"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a Java application that is affected by an XML External Entity (XXE) injection vulnerability."); script_set_attribute(attribute:"description", value: "The version of Apache Solr running on the remote web server is affected by an XML external entity injection vulnerability due to an incorrectly configured XML parser in the 'DocumentAnalysisRequestHandler' class. A remote, unauthenticated attacker can exploit this flaw to gain access to arbitrary files or to cause a denial of service condition. Note that this issue exists due to an incomplete fix for CVE-2013-6407."); script_set_attribute(attribute:"see_also", value:"https://issues.apache.org/jira/browse/SOLR-4881"); script_set_attribute(attribute:"see_also", value:"http://lucene.apache.org/solr/4_3_1/changes/Changes.html"); script_set_attribute(attribute:"solution", value: "Upgrade to Apache Solr version 4.3.1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/05/30"); script_set_attribute(attribute:"patch_publication_date", value:"2013/06/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/01/07"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:solr"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_dependencies("solr_detect.nbin"); script_require_keys("installed_sw/Apache Solr"); script_require_ports("Services/www", 8983); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); appname = "Apache Solr"; get_install_count(app_name:appname,exit_if_zero:TRUE); port = get_http_port(default:8983); install = get_single_install( app_name:appname, port:port, exit_if_unknown_ver:TRUE ); dir = install["path"]; version = install["version"]; install_url = build_url(port:port, qs:dir); if (version == UNKNOWN_VER) audit(AUDIT_UNKNOWN_WEB_APP_VER, appname, install_url); if (ver_compare(ver:version,fix:"4.3.1",strict:FALSE) == -1) { if (report_verbosity > 0) { report = '\n URL : ' +install_url+ '\n Installed version : ' +version+ '\n Fixed version : 4.3.1\n'; security_warning(port:port, extra:report); } else security_warning(port); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, install_url, version);

NASL family	CGI abuses
NASL id	SOLR_4_1_0.NASL
description	The version of Apache Solr running on the remote web server is affected by multiple XML external entity injection vulnerabilities because the XML parser accepts XML data containing external entity declarations from untrusted sources. A remote, unauthenticated attacker can exploit this flaw to gain access to arbitrary files or to cause a denial of service condition.
last seen	2020-06-01
modified	2020-06-02
plugin id	71844
published	2014-01-07
reporter	This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/71844
title	Apache Solr < 4.1.0 Multiple XML External Entity Injections
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(71844); script_version("1.4"); script_cvs_date("Date: 2018/07/30 15:31:31"); script_cve_id("CVE-2012-6612", "CVE-2013-6407"); script_bugtraq_id(64008, 64427); script_name(english:"Apache Solr < 4.1.0 Multiple XML External Entity Injections"); script_summary(english:"Checks version of Apache Solr."); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a Java application that is affected by multiple XML External Entity (XXE) injection vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Apache Solr running on the remote web server is affected by multiple XML external entity injection vulnerabilities because the XML parser accepts XML data containing external entity declarations from untrusted sources. A remote, unauthenticated attacker can exploit this flaw to gain access to arbitrary files or to cause a denial of service condition."); script_set_attribute(attribute:"see_also", value:"https://issues.apache.org/jira/browse/SOLR-3895"); script_set_attribute(attribute:"see_also", value:"http://lucene.apache.org/solr/4_1_0/changes/Changes.html"); script_set_attribute(attribute:"solution", value: "Upgrade to Apache Solr version 4.1.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/09/26"); script_set_attribute(attribute:"patch_publication_date", value:"2012/09/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/01/07"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:solr"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_dependencies("solr_detect.nbin"); script_require_keys("installed_sw/Apache Solr"); script_require_ports("Services/www", 8983); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); appname = "Apache Solr"; get_install_count(app_name:appname,exit_if_zero:TRUE); port = get_http_port(default:8983); install = get_single_install( app_name:appname, port:port, exit_if_unknown_ver:TRUE ); dir = install["path"]; version = install["version"]; install_url = build_url(port:port, qs:dir); if (version == UNKNOWN_VER) audit(AUDIT_UNKNOWN_WEB_APP_VER, appname, install_url); if (ver_compare(ver:version,fix:"4.1.0",strict:FALSE) == -1) { if (report_verbosity > 0) { report = '\n URL : ' +install_url+ '\n Installed version : ' +version+ '\n Fixed version : 4.1.0\n'; security_hole(port:port, extra:report); } else security_hole(port); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, install_url, version);

Redhat

advisories

rhsa
id RHSA-2013:1844
rhsa
id RHSA-2014:0029

Summary

Vulnerable Configurations

Nessus

Redhat

References