Vulnerabilities > CVE-2013-6408 - Unspecified vulnerability in Apache Solr
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN apache
nessus
Summary
The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6407.
Vulnerable Configurations
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2963.NASL description Multiple vulnerabilities were found in Solr, an open source enterprise search server based on Lucene, resulting in information disclosure or code execution. last seen 2020-03-17 modified 2014-06-18 plugin id 76091 published 2014-06-18 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76091 title Debian DSA-2963-1 : lucene-solr - security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-2963. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(76091); script_version("1.7"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2013-6397", "CVE-2013-6407", "CVE-2013-6408"); script_bugtraq_id(63935, 64008, 64009); script_xref(name:"DSA", value:"2963"); script_name(english:"Debian DSA-2963-1 : lucene-solr - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Multiple vulnerabilities were found in Solr, an open source enterprise search server based on Lucene, resulting in information disclosure or code execution." ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/lucene-solr" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2014/dsa-2963" ); script_set_attribute( attribute:"solution", value: "Upgrade the lucene-solr packages. For the stable distribution (wheezy), these problems have been fixed in version 3.6.0+dfsg-1+deb7u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:lucene-solr"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2014/06/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"liblucene3-contrib-java", reference:"3.6.0+dfsg-1+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"liblucene3-java", reference:"3.6.0+dfsg-1+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"liblucene3-java-doc", reference:"3.6.0+dfsg-1+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libsolr-java", reference:"3.6.0+dfsg-1+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"solr-common", reference:"3.6.0+dfsg-1+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"solr-jetty", reference:"3.6.0+dfsg-1+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"solr-tomcat", reference:"3.6.0+dfsg-1+deb7u1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family CGI abuses NASL id SOLR_4_3_1.NASL description The version of Apache Solr running on the remote web server is affected by an XML external entity injection vulnerability due to an incorrectly configured XML parser in the last seen 2020-06-01 modified 2020-06-02 plugin id 71845 published 2014-01-07 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/71845 title Apache Solr < 4.3.1 XML External Entity Injection code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(71845); script_version("1.4"); script_cvs_date("Date: 2018/07/30 15:31:31"); script_cve_id("CVE-2013-6408"); script_bugtraq_id(64009); script_name(english:"Apache Solr < 4.3.1 XML External Entity Injection"); script_summary(english:"Checks version of Solr"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a Java application that is affected by an XML External Entity (XXE) injection vulnerability."); script_set_attribute(attribute:"description", value: "The version of Apache Solr running on the remote web server is affected by an XML external entity injection vulnerability due to an incorrectly configured XML parser in the 'DocumentAnalysisRequestHandler' class. A remote, unauthenticated attacker can exploit this flaw to gain access to arbitrary files or to cause a denial of service condition. Note that this issue exists due to an incomplete fix for CVE-2013-6407."); script_set_attribute(attribute:"see_also", value:"https://issues.apache.org/jira/browse/SOLR-4881"); script_set_attribute(attribute:"see_also", value:"http://lucene.apache.org/solr/4_3_1/changes/Changes.html"); script_set_attribute(attribute:"solution", value: "Upgrade to Apache Solr version 4.3.1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/05/30"); script_set_attribute(attribute:"patch_publication_date", value:"2013/06/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/01/07"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:solr"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_dependencies("solr_detect.nbin"); script_require_keys("installed_sw/Apache Solr"); script_require_ports("Services/www", 8983); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); appname = "Apache Solr"; get_install_count(app_name:appname,exit_if_zero:TRUE); port = get_http_port(default:8983); install = get_single_install( app_name:appname, port:port, exit_if_unknown_ver:TRUE ); dir = install["path"]; version = install["version"]; install_url = build_url(port:port, qs:dir); if (version == UNKNOWN_VER) audit(AUDIT_UNKNOWN_WEB_APP_VER, appname, install_url); if (ver_compare(ver:version,fix:"4.3.1",strict:FALSE) == -1) { if (report_verbosity > 0) { report = '\n URL : ' +install_url+ '\n Installed version : ' +version+ '\n Fixed version : 4.3.1\n'; security_warning(port:port, extra:report); } else security_warning(port); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, install_url, version);
Redhat
| advisories |
|
References
- http://secunia.com/advisories/55542
- http://www.openwall.com/lists/oss-security/2013/11/29/2
- http://svn.apache.org/viewvc/lucene/dev/branches/branch_4x/solr/CHANGES.txt?view=markup
- https://issues.apache.org/jira/browse/SOLR-4881
- http://rhn.redhat.com/errata/RHSA-2013-1844.html
- http://rhn.redhat.com/errata/RHSA-2014-0029.html
- http://secunia.com/advisories/59372