CVE-2019-17558 Information

Description

Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset velocity/ directory or as a parameter. A user defined configset could contain renderable potentially malicious templates. Parameter provided templates are disabled by default but can be enabled by setting params.resource.loader.enabled by defining a response writer with that setting set to true. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely and only enables the configset-provided template rendering when the configset is trusted (has been uploaded by an authenticated user).

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

http://packetstormsecurity.com/files/157078/Apache-Solr-8.3.0-Velocity-Template-Remote-Code-Execution.html https://issues.apache.org/jira/browse/SOLR-13971 https://lists.apache.org/thread.html/r0b7b9d4113e6ec1ae1d3d0898c645f758511107ea44f0f3a1210c5d5@3Cissues.lucene.apache.org3E https://lists.apache.org/thread.html/r12ab2cb15a34e49b4fecb5b2bdd7e10f3e8b7bf1f4f47fcde34d3a7c@3Cissues.lucene.apache.org3E https://lists.apache.org/thread.html/r19d23e8640236a3058b4d6c23e5cd663fde182255f5a9d63e0606a66@3Cdev.lucene.apache.org3E https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@3Csolr-user.lucene.apache.org3E https://lists.apache.org/thread.html/r25f1bd4545617f5b86dde27b4c30fec73117af65598a30e20209739a@3Cissues.lucene.apache.org3E https://lists.apache.org/thread.html/r339865b276614661770c909be1dd7e862232e3ef0af98bfd85686b51@3Cdev.lucene.apache.org3E https://lists.apache.org/thread.html/r36e35fd76239a381643555966fb3e72139e018d52d76544fb42f96d8@3Cissues.lucene.apache.org3E https://lists.apache.org/thread.html/r5074d814d3a8c75df4b20e66bfd268ee0a73ddea7e85070cec3ae78d@3Cissues.lucene.apache.org3E https://lists.apache.org/thread.html/r58c58fe51c87bc30ee13bb8b4c83587f023edb349018705208e65b37@3Cissues.lucene.apache.org3E https://lists.apache.org/thread.html/r9271d030452170ba6160c022757e1b5af8a4c9ccf9e04164dec02e7f@3Cissues.lucene.apache.org3E https://lists.apache.org/thread.html/r99c3f7ec3a079e2abbd540ecdb55a0e2a0f349ca7084273a12e87aeb@3Cissues.lucene.apache.org3E https://lists.apache.org/thread.html/ra29fa6ede5184385bf2c63e8ec054990a7d4622bba1d244bee70d82d@3Cissues.lucene.apache.org3E https://lists.apache.org/thread.html/rafc939fdd753f55707841cd5886fc7fcad4d8d8ba0c72429b3220a9a@3Cissues.lucene.apache.org3E https://lists.apache.org/thread.html/rb964fe5c4e3fc05f75e8f74bf6b885f456b7a7750c36e9a8045c627a@3Cissues.lucene.apache.org3E https://lists.apache.org/thread.html/rde3dbd8e646dabf8bef1b097e9a13ee0ecbdb8441aaed6092726c98d@3Cissues.ambari.apache.org3E https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55@3Csolr-user.lucene.apache.org3E https://lists.apache.org/thread.html/rf6d7ffae2b940114324e036b6394beadf27696d051ae0c4a5edf07af@3Cissues.lucene.apache.org3E https://www.oracle.com/security-alerts/cpuoct2020.html

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

7.5