ID CVE-2017-12629
Summary Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr.
References
Vulnerable Configurations
  • Apache Software Foundation Solr 5.5.0
    cpe:2.3:a:apache:solr:5.5.0
  • Apache Software Foundation Solr 5.5.1
    cpe:2.3:a:apache:solr:5.5.1
  • Apache Software Foundation Solr 5.5.2
    cpe:2.3:a:apache:solr:5.5.2
  • Apache Software Foundation Solr 5.5.3
    cpe:2.3:a:apache:solr:5.5.3
  • Apache Software Foundation Solr 5.5.4
    cpe:2.3:a:apache:solr:5.5.4
  • Apache Software Foundation Solr 6.0.0
    cpe:2.3:a:apache:solr:6.0.0
  • Apache Software Foundation Solr 6.0.1
    cpe:2.3:a:apache:solr:6.0.1
  • Apache Software Foundation Solr 6.1.0
    cpe:2.3:a:apache:solr:6.1.0
  • Apache Software Foundation Solr 6.2.0
    cpe:2.3:a:apache:solr:6.2.0
  • Apache Software Foundation Solr 6.2.1
    cpe:2.3:a:apache:solr:6.2.1
  • Apache Software Foundation Solr 6.3.0
    cpe:2.3:a:apache:solr:6.3.0
  • Apache Software Foundation Solr 6.4.0
    cpe:2.3:a:apache:solr:6.4.0
  • Apache Software Foundation Solr 6.4.1
    cpe:2.3:a:apache:solr:6.4.1
  • Apache Software Foundation Solr 6.4.2
    cpe:2.3:a:apache:solr:6.4.2
  • Apache Software Foundation Solr 6.5.0
    cpe:2.3:a:apache:solr:6.5.0
  • Apache Software Foundation Solr 6.5.1
    cpe:2.3:a:apache:solr:6.5.1
  • Apache Software Foundation Solr 6.6.0
    cpe:2.3:a:apache:solr:6.6.0
  • Apache Software Foundation Solr 6.6.1
    cpe:2.3:a:apache:solr:6.6.1
  • Apache Software Foundation Solr 7.0.0
    cpe:2.3:a:apache:solr:7.0.0
  • Apache Software Foundation Solr 7.0.1
    cpe:2.3:a:apache:solr:7.0.1
  • cpe:2.3:a:apache:lucene:7.0.1
    cpe:2.3:a:apache:lucene:7.0.1
CVSS
Base: 7.5
Impact:
Exploitability:
CWE CWE-611
CAPEC
exploit-db via4
description Apache Solr 7.0.1 - XML External Entity Expansion / Remote Code Execution. CVE-2017-12629. Webapps exploit for XML platform
file exploits/xml/webapps/43009.txt
id EDB-ID:43009
last seen 2017-10-17
modified 2017-10-17
platform xml
port
published 2017-10-17
reporter Exploit-DB
source https://www.exploit-db.com/download/43009/
title Apache Solr 7.0.1 - XML External Entity Expansion / Remote Code Execution
type webapps
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-0005.NASL
    description An update for eap7-jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 6 and Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The eap7-jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the eap7-jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 7.0.9. Refer to the JBoss Enterprise Application Platform 7.0.9 Release Notes, linked to in the References section, for information on the most significant bug fixes and enhancements included in this release. Security Fix(es) : * It was found that Apache Lucene would accept an object from an unauthenticated user that could be manipulated through subsequent post requests. An attacker could use this flaw to assemble an object that could permit execution of arbitrary code if the server enabled Apache Solr's Config API. (CVE-2017-12629) * It was discovered that the jboss init script performed unsafe file handling which could result in local privilege escalation. (CVE-2017-12189) * It was found that GZIPInterceptor is enabled when not necessarily required in RESTEasy. An attacker could use this flaw to launch a Denial of Service attack. (CVE-2016-6346) * It was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own. (CVE-2017-7559) * It was discovered that the CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. (CVE-2017-7561) * It was found that properties based files of the management and the application realm configuration that contain user to role mapping are world readable allowing access to users and roles information to all the users logged in to the system. (CVE-2017-12167) * It was discovered that Undertow processes http request headers with unusual whitespaces which can cause possible http request smuggling. (CVE-2017-12165) Red Hat would like to thank Mikhail Egorov (Odin) for reporting CVE-2016-6346. The CVE-2017-7559 and CVE-2017-12165 issues were discovered by Stuart Douglas (Red Hat); the CVE-2017-7561 issue was discovered by Jason Shepherd (Red Hat Product Security); and the CVE-2017-12167 issue was discovered by Brian Stansberry (Red Hat) and Jeremy Choi (Red Hat).
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 105522
    published 2018-01-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105522
    title RHEL 6 / 7 : eap7-jboss-ec2-eap (RHSA-2018:0005)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-0004.NASL
    description An update is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 7.0.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.8, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * It was found that Apache Lucene would accept an object from an unauthenticated user that could be manipulated through subsequent post requests. An attacker could use this flaw to assemble an object that could permit execution of arbitrary code if the server enabled Apache Solr's Config API. (CVE-2017-12629) * It was discovered that the jboss init script performed unsafe file handling which could result in local privilege escalation. (CVE-2017-12189) * It was found that GZIPInterceptor is enabled when not necessarily required in RESTEasy. An attacker could use this flaw to launch a Denial of Service attack. (CVE-2016-6346) * It was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own. (CVE-2017-7559) * It was discovered that the CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. (CVE-2017-7561) * It was found that properties based files of the management and the application realm configuration that contain user to role mapping are world readable allowing access to users and roles information to all the users logged in to the system. (CVE-2017-12167) * It was discovered that Undertow processes http request headers with unusual whitespaces which can cause possible http request smuggling. (CVE-2017-12165) Red Hat would like to thank Mikhail Egorov (Odin) for reporting CVE-2016-6346. The CVE-2017-7559 and CVE-2017-12165 issues were discovered by Stuart Douglas (Red Hat); the CVE-2017-7561 issue was discovered by Jason Shepherd (Red Hat Product Security); and the CVE-2017-12167 issue was discovered by Brian Stansberry (Red Hat) and Jeremy Choi (Red Hat).
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 105560
    published 2018-01-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105560
    title RHEL 7 : JBoss EAP (RHSA-2018:0004)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4124.NASL
    description Two vulnerabilities have been found in Solr, a search server based on Lucene, which could result in the execution of arbitrary code or path traversal.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 107024
    published 2018-02-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107024
    title Debian DSA-4124-1 : lucene-solr - security update
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-0002.NASL
    description An update is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 7.0.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.8, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * It was found that Apache Lucene would accept an object from an unauthenticated user that could be manipulated through subsequent post requests. An attacker could use this flaw to assemble an object that could permit execution of arbitrary code if the server enabled Apache Solr's Config API. (CVE-2017-12629) * It was discovered that the jboss init script performed unsafe file handling which could result in local privilege escalation. (CVE-2017-12189) * It was found that GZIPInterceptor is enabled when not necessarily required in RESTEasy. An attacker could use this flaw to launch a Denial of Service attack. (CVE-2016-6346) * It was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own. (CVE-2017-7559) * It was discovered that the CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. (CVE-2017-7561) * It was found that properties based files of the management and the application realm configuration that contain user to role mapping are world readable allowing access to users and roles information to all the users logged in to the system. (CVE-2017-12167) * It was discovered that Undertow processes http request headers with unusual whitespaces which can cause possible http request smuggling. (CVE-2017-12165) Red Hat would like to thank Mikhail Egorov (Odin) for reporting CVE-2016-6346. The CVE-2017-7559 and CVE-2017-12165 issues were discovered by Stuart Douglas (Red Hat); the CVE-2017-7561 issue was discovered by Jason Shepherd (Red Hat Product Security); and the CVE-2017-12167 issue was discovered by Brian Stansberry (Red Hat) and Jeremy Choi (Red Hat).
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 105559
    published 2018-01-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105559
    title RHEL 6 : JBoss EAP (RHSA-2018:0002)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-005F8F7F7D.NASL
    description Security fix for CVE-2017-12629 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-02
    plugin id 104343
    published 2017-11-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104343
    title Fedora 25 : lucene (2017-005f8f7f7d)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_E837390D0CEB46B89B3229C1195F5DC7.NASL
    description Solr developers report : Lucene XML parser does not explicitly prohibit doctype declaration and expansion of external entities which leads to arbitrary HTTP requests to the local SOLR instance and to bypass all firewall restrictions. Solr 'RunExecutableListener' class can be used to execute arbitrary commands on specific events, for example after each update query. The problem is that such listener can be enabled with any parameters just by using Config API with add-listener command.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 103843
    published 2017-10-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103843
    title FreeBSD : solr -- Code execution via entity expansion (e837390d-0ceb-46b8-9b32-29c1195f5dc7)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-195E7EA9A8.NASL
    description Security fix for CVE-2017-12629 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-02
    plugin id 105826
    published 2018-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105826
    title Fedora 27 : lucene4 (2017-195e7ea9a8)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-3123.NASL
    description A security update is now available for Red Hat JBoss Enterprise Application Platform 7 for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 6th November 2017] Previously, this erratum was marked as having a security impact of Critical. This was incorrect; Red Hat JBoss Enterprise Application Platform 7 was affected with a security impact of Moderate. This advisory has been updated to that effect. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This asynchronous patch is a security update for lucene package in Red Hat JBoss Enterprise Application Platform 7.0.8. Security Fix(es) : * It was found that Apache Lucene would accept an object from an unauthenticated user that could be manipulated through subsequent post requests. An attacker could use this flaw to assemble an object that could permit execution of arbitrary code if the server enabled Apache Solr's Config API. (CVE-2017-12629) For more information regarding CVE-2017-12629, see the article linked in the references section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 104457
    published 2017-11-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104457
    title RHEL 6 / 7 : JBoss EAP (RHSA-2017:3123)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-9B3E2904BF.NASL
    description Security fix for CVE-2017-12629 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-02
    plugin id 105935
    published 2018-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105935
    title Fedora 27 : lucene (2017-9b3e2904bf)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1254.NASL
    description Michael Stepankin and Olga Barinova discovered a remote code execution vulnerability in Apache Solr by exploiting XML External Entity processing (XXE) in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. To resolve this issue the RunExecutableListener class has been removed and resolving of external entities in the CoreParser class disallowed. For Debian 7 'Wheezy', these problems have been fixed in version 3.6.0+dfsg-1+deb7u3. We recommend that you upgrade your lucene-solr packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-13
    plugin id 106210
    published 2018-01-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106210
    title Debian DLA-1254-1 : lucene-solr security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-F1535B86FA.NASL
    description Security fix for CVE-2017-12629 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-02
    plugin id 104833
    published 2017-11-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104833
    title Fedora 25 : lucene4 (2017-f1535b86fa)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-0929E71B41.NASL
    description Security fix for CVE-2017-12629 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-02
    plugin id 104821
    published 2017-11-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104821
    title Fedora 26 : lucene4 (2017-0929e71b41)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-C7BDF540B4.NASL
    description Security fix for CVE-2017-12629 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-02
    plugin id 104315
    published 2017-11-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104315
    title Fedora 26 : lucene (2017-c7bdf540b4)
  • NASL family CGI abuses
    NASL id SOLR_7_1_0.NASL
    description The version of Apache Solr running on the remote web server is affected by multiple vulnerabilities as referenced in the advisory.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 104353
    published 2017-11-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104353
    title Apache Solr 5.x < 5.5.5 / 6.x < 6.6.2 / 7.x < 7.1.0 Multiple Vulnerabilities
packetstorm via4
data source https://packetstormsecurity.com/files/download/144678/apachesolr701-xxe.txt
id PACKETSTORM:144678
last seen 2017-10-21
published 2017-10-18
reporter Michael Stepankin
source https://packetstormsecurity.com/files/144678/Apache-Solr-7.0.1-XXE-Injection-Code-Execution.html
title Apache Solr 7.0.1 XXE Injection / Code Execution
redhat via4
advisories
  • rhsa
    id RHSA-2017:3123
  • rhsa
    id RHSA-2017:3124
  • rhsa
    id RHSA-2017:3244
  • rhsa
    id RHSA-2017:3451
  • rhsa
    id RHSA-2017:3452
  • rhsa
    id RHSA-2018:0002
  • rhsa
    id RHSA-2018:0003
  • rhsa
    id RHSA-2018:0004
  • rhsa
    id RHSA-2018:0005
refmap via4
bid 101261
debian DSA-4124
misc
mlist
  • [debian-lts-announce] 20180121 [SECURITY] [DLA 1254-1] lucene-solr security update
  • [lucene-dev] 20171012 Re: Several critical vulnerabilities discovered in Apache Solr (XXE & RCE)
  • [www-announce] 20171019 [SECURITY] CVE-2017-12629: Several critical vulnerabilities discovered in Apache Solr (XXE & RCE)
Last major update 14-10-2017 - 19:29
Published 14-10-2017 - 19:29
Last modified 28-02-2018 - 21:29
Back to Top