When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access.

When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. Solr versions < 5.5.4 and 6.x < 6.4.1 do not validate this file name allowing for a remote, unauthenticated attacker to access any file(s) readable by the Solr application.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:1449 advisory.

    Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss     Application Server.

    This release of Red Hat JBoss Enterprise Application Platform 6.4.20 serves as a replacement for Red Hat     JBoss Enterprise Application Platform 6.4.19, and includes bug fixes and enhancements, which are     documented in the Release Notes document linked to in the References.

    Security Fix(es):

    * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525)     (CVE-2017-15095)

    * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for     CVE-2017-15095) (CVE-2017-17485)

    * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution     (CVE-2018-8088)

    * Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability (CVE-2016-4978)

    * solr: Directory traversal via Index Replication HTTP API (CVE-2017-3163)

    * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure     of resources (CVE-2018-1304)

    * jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries     (CVE-2018-7489)

    For more details about the security issue(s), including the impact, a CVSS score, and other related     information, refer to the CVE page(s) listed in the References section.

    Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-15095; 0c0c0f from     360 for reporting CVE-2017-17485; and Chris McCown for reporting CVE-2018-8088.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:1448 advisory.

    Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss     Application Server.

    This release of Red Hat JBoss Enterprise Application Platform 6.4.20 serves as a replacement for Red Hat     JBoss Enterprise Application Platform 6.4.19, and includes bug fixes and enhancements, which are     documented in the Release Notes document linked to in the References.

    Security Fix(es):

    * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525)     (CVE-2017-15095)

    * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for     CVE-2017-15095) (CVE-2017-17485)

    * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution     (CVE-2018-8088)

    * Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability (CVE-2016-4978)

    * solr: Directory traversal via Index Replication HTTP API (CVE-2017-3163)

    * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure     of resources (CVE-2018-1304)

    * jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries     (CVE-2018-7489)

    For more details about the security issue(s), including the impact, a CVSS score, and other related     information, refer to the CVE page(s) listed in the References section.

    Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-15095; 0c0c0f from     360 for reporting CVE-2017-17485; and Chris McCown for reporting CVE-2018-8088.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:1451 advisory.

    The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise     Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2).

    With this update, the jboss-ec2-eap package has been updated to ensure     compatibility with Red Hat JBoss Enterprise Application Platform 6.4.19.

    Security Fix(es):

    * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525)     (CVE-2017-15095)

    * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for     CVE-2017-15095) (CVE-2017-17485)

    * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution     (CVE-2018-8088)

    * Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability (CVE-2016-4978)

    * solr: Directory traversal via Index Replication HTTP API (CVE-2017-3163)

    * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure     of resources (CVE-2018-1304)

    * jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries     (CVE-2018-7489)

    For more details about the security issue(s), including the impact, a CVSS score, and other related     information, refer to the CVE page(s) listed in the References section.

    Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-15095; 0c0c0f from     360 for reporting CVE-2017-17485; and Chris McCown for reporting CVE-2018-8088.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Two vulnerabilities have been found in Solr, a search server based on Lucene, which could result in the execution of arbitrary code or path traversal.

lucene-solr handler supports an HTTP API (/replication?command=filecontent&file=<file_name>) which is vulnerable to path traversal attack. Specifically, this API does not perform any validation of the user specified file_name parameter. This can allow an attacker to download any file readable to Solr server process even if it is not related to the actual Solr index state.

For Debian 7 'Wheezy', this problem has been fixed in version 3.6.0+dfsg-1+deb7u2.

We recommend that you upgrade your lucene-solr packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
98895	Apache Solr 6.x < 6.4.1 Directory Traversal	Web App Scanning	Component Vulnerability	high
98894	Apache Solr < 5.5.4 Directory Traversal	Web App Scanning	Component Vulnerability	high
109906	RHEL 6 : Red Hat JBoss Enterprise Application Platform 6.4.20 (RHSA-2018:1449)	Nessus	Red Hat Local Security Checks	critical
109905	RHEL 7 : Red Hat JBoss Enterprise Application Platform 6.4.20 (RHSA-2018:1448)	Nessus	Red Hat Local Security Checks	critical
109838	RHEL 6 : eap6-jboss-ec2-eap (RHSA-2018:1451)	Nessus	Red Hat Local Security Checks	critical
107024	Debian DSA-4124-1 : lucene-solr - security update	Nessus	Debian Local Security Checks	critical
102044	Debian DLA-1046-1 : lucene-solr security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2017-3163

high

Tenable Plugins

high

high

critical

critical

critical

critical

high