When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access.

When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. Solr versions < 5.5.4 and 6.x < 6.4.1 do not validate this file name allowing for a remote, unauthenticated attacker to access any file(s) readable by the Solr application.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:1449 advisory.

  - Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability (CVE-2016-4978)

  - solr: Directory traversal via Index Replication HTTP API (CVE-2017-3163)

  - jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper (CVE-2017-7525)

  - jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525)     (CVE-2017-15095)

  - jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095)     (CVE-2017-17485)

  - tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of     resources (CVE-2018-1304)

  - jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries     (CVE-2018-7489)

  - slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution     (CVE-2018-8088)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:1448 advisory.

  - Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability (CVE-2016-4978)

  - solr: Directory traversal via Index Replication HTTP API (CVE-2017-3163)

  - jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525)     (CVE-2017-15095)

  - jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095)     (CVE-2017-17485)

  - tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of     resources (CVE-2018-1304)

  - jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries     (CVE-2018-7489)

  - slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution     (CVE-2018-8088)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update for jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2).

With this update, the jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.19.

Security Fix(es) :

* jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095)

* jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485)

* slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088)

* Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability (CVE-2016-4978)

* solr: Directory traversal via Index Replication HTTP API (CVE-2017-3163)

* tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304)

* jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries (CVE-2018-7489)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-15095; 0c0c0f from 360Guan Xing Shi Yan Shi  for reporting CVE-2017-17485; and Chris McCown for reporting CVE-2018-8088.

Two vulnerabilities have been found in Solr, a search server based on Lucene, which could result in the execution of arbitrary code or path traversal.

lucene-solr handler supports an HTTP API (/replication?command=filecontent&file=<file_name>) which is vulnerable to path traversal attack. Specifically, this API does not perform any validation of the user specified file_name parameter. This can allow an attacker to download any file readable to Solr server process even if it is not related to the actual Solr index state.

For Debian 7 'Wheezy', this problem has been fixed in version 3.6.0+dfsg-1+deb7u2.

We recommend that you upgrade your lucene-solr packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
98895	Apache Solr 6.x < 6.4.1 Directory Traversal	Web App Scanning	Component Vulnerability	high
98894	Apache Solr < 5.5.4 Directory Traversal	Web App Scanning	Component Vulnerability	high
109906	RHEL 6 : Red Hat JBoss Enterprise Application Platform 6.4.20 (RHSA-2018:1449)	Nessus	Red Hat Local Security Checks	critical
109905	RHEL 7 : Red Hat JBoss Enterprise Application Platform 6.4.20 (RHSA-2018:1448)	Nessus	Red Hat Local Security Checks	critical
109838	RHEL 6 : eap6-jboss-ec2-eap (RHSA-2018:1451)	Nessus	Red Hat Local Security Checks	critical
107024	Debian DSA-4124-1 : lucene-solr - security update	Nessus	Debian Local Security Checks	critical
102044	Debian DLA-1046-1 : lucene-solr security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2017-3163

high

Tenable Plugins

high

high

critical

critical

critical

critical

high