Vulnerabilities > CVE-2018-1308 - XXE vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the `&dataConfig=<inlinexml>` parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1360.NASL description It was discovered that there was an XML external entity expansion (XXE) vulnerability in lucene-solr, a search engine library for Java. It could be exploited to read arbitrary local files from the Solr server or the internal network. For Debian 7 last seen 2020-03-17 modified 2018-04-25 plugin id 109327 published 2018-04-25 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109327 title Debian DLA-1360-1 : lucene-solr security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-1360-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(109327); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2018-1308"); script_name(english:"Debian DLA-1360-1 : lucene-solr security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "It was discovered that there was an XML external entity expansion (XXE) vulnerability in lucene-solr, a search engine library for Java. It could be exploited to read arbitrary local files from the Solr server or the internal network. For Debian 7 'Wheezy', this issue has been fixed in lucene-solr version 3.6.0+dfsg-1+deb7u4. We recommend that you upgrade your lucene-solr packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2018/04/msg00025.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/lucene-solr" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:liblucene3-contrib-java"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:liblucene3-java"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:liblucene3-java-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libsolr-java"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:solr-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:solr-jetty"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:solr-tomcat"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2018/04/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/25"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"liblucene3-contrib-java", reference:"3.6.0+dfsg-1+deb7u4")) flag++; if (deb_check(release:"7.0", prefix:"liblucene3-java", reference:"3.6.0+dfsg-1+deb7u4")) flag++; if (deb_check(release:"7.0", prefix:"liblucene3-java-doc", reference:"3.6.0+dfsg-1+deb7u4")) flag++; if (deb_check(release:"7.0", prefix:"libsolr-java", reference:"3.6.0+dfsg-1+deb7u4")) flag++; if (deb_check(release:"7.0", prefix:"solr-common", reference:"3.6.0+dfsg-1+deb7u4")) flag++; if (deb_check(release:"7.0", prefix:"solr-jetty", reference:"3.6.0+dfsg-1+deb7u4")) flag++; if (deb_check(release:"7.0", prefix:"solr-tomcat", reference:"3.6.0+dfsg-1+deb7u4")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4194.NASL description An XML external entity expansion vulnerability was discovered in the DataImportHandler of Solr, a search server based on Lucene, which could result in information disclosure. last seen 2020-06-01 modified 2020-06-02 plugin id 109589 published 2018-05-07 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109589 title Debian DSA-4194-1 : lucene-solr - security update
References
- https://issues.apache.org/jira/browse/SOLR-11971
- https://issues.apache.org/jira/browse/SOLR-11971
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2018/04/msg00025.html
- https://lists.debian.org/debian-lts-announce/2018/04/msg00025.html
- https://mail-archives.apache.org/mod_mbox/www-announce/201804.mbox/%3C000001d3cf68%245ac69af0%241053d0d0%24%40apache.org%3E
- https://mail-archives.apache.org/mod_mbox/www-announce/201804.mbox/%3C000001d3cf68%245ac69af0%241053d0d0%24%40apache.org%3E
- https://www.debian.org/security/2018/dsa-4194
- https://www.debian.org/security/2018/dsa-4194