SB2021041303 - Multiple vulnerabilities in Apache Solr

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2021-27905)

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input passed via the "masterUrl" or "leaderUrl" parameters to "/replication" URL. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

2) Improper Authorization (CVE-ID: CVE-2021-29943)

The vulnerability allows a remote user to gain access to otherwise restricted functionality.

The vulnerability exists in ConfigurableInternodeAuthHadoopPlugin implementation. Apache Solr forwards distributed requests using server credentials instead of original client credentials. A remote user can abuse such behavior to gain access to otherwise restricted functionality.

3) Improper access control (CVE-ID: CVE-2021-29262)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. When starting Apache Solr, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be readable.

Remediation

Install update from vendor's website.

References

• http://seclists.org/oss-sec/2021/q2/19
• http://seclists.org/oss-sec/2021/q2/17
• http://seclists.org/oss-sec/2021/q2/18