Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2017-12629

Disclosure Date: October 14, 2017
CVE-2017-12629 CVSS v3 Base Score: 9.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Apache Solr before 7.1 with Apache Lucene before 7.1
Apache Solr before 7.1 with Apache Lucene before 7.1 7.1.0
Apache Solr before 7.1 with Apache Lucene before 7.1 6.6.2
Apache Solr before 7.1 with Apache Lucene before 7.1 5.5.5
Apache Solr before 7.1 with Apache Lucene before 7.1 7.2.0
Apache Solr before 7.1 with Apache Lucene before 7.1 8.0.0
Apache Solr before 7.1 with Apache Lucene before 7.1 5.3.1-redhat-2
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • apache,
  • canonical,
  • debian,
  • redhat

Products

  • debian linux 7.0,
  • debian linux 8.0,
  • debian linux 9.0,
  • jboss enterprise application platform 7.0.0,
  • jboss enterprise application platform 7.1.0,
  • solr,
  • ubuntu linux 16.04

References

Canonical
CVE-2017-12629 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12629)
BID-101261 (http://www.securityfocus.com/bid/101261)
Advisory
https://access.redhat.com/errata/RHSA-2017:3451
[lucene-dev] 20171012 Re: Several critical vulnerabilities discovered in Apache Solr (XXE & RCE) (https://s.apache.org/FJDl)
https://access.redhat.com/errata/RHSA-2018:0002
https://access.redhat.com/errata/RHSA-2018:0004
https://access.redhat.com/errata/RHSA-2017:3452
[debian-lts-announce] 20180121 [SECURITY] [DLA 1254-1] lucene-solr security update (https://lists.debian.org/debian-lts-announce/2018/01/msg00028.html)
EXPLOIT-DB-43009 (https://www.exploit-db.com/exploits/43009)
https://access.redhat.com/errata/RHSA-2018:0003
https://access.redhat.com/errata/RHSA-2017:3123
https://access.redhat.com/errata/RHSA-2018:0005
https://access.redhat.com/errata/RHSA-2017:3244
https://access.redhat.com/errata/RHSA-2017:3124
[www-announce] 20171019 [SECURITY] CVE-2017-12629: Several critical vulnerabilities discovered in Apache Solr (XXE & RCE) (http://mail-archives.us.apache.org/mod_mbox/www-announce/201710.mbox/%3CCAOOKt51UO_6Vy%3Dj8W%3Dx1pMbLW9VJfZyFWz7pAnXJC_OAdSZubA%40mail.gmail.com%3E)
DSA-4124 (https://www.debian.org/security/2018/dsa-4124)
USN-4259-1 (https://usn.ubuntu.com/4259-1)
EXPLOIT-DB-43009 (https://www.exploit-db.com/exploits/43009/)
USN-4259-1 (https://usn.ubuntu.com/4259-1/)
[solr-users] 20210618 CVE-2021-27905 Apache Solr ReplicationHandler/SSRF vulnerability (https://lists.apache.org/thread.html/r95df34bb158375948da82b4dfe9a1b5d528572d586584162f8f5aeef@%3Cusers.solr.apache.org%3E)
[solr-users] 20210618 Re: CVE-2021-27905 Apache Solr ReplicationHandler/SSRF vulnerability (https://lists.apache.org/thread.html/r140128dc6bb4f4e0b6a39e962c7ca25a8cbc8e48ed766176c931fccc@%3Cusers.solr.apache.org%3E)
[solr-users] 20210728 Re: CVE-2021-27905 Apache Solr ReplicationHandler/SSRF vulnerability (https://lists.apache.org/thread.html/r3da74965aba2b5f5744b7289ad447306eeb2940c872801819faa9314@%3Cusers.solr.apache.org%3E)
[jackrabbit-oak-issues] 20210817 [jira] [Created] (OAK-9537) Security vulnerability in org/apache/lucene/queryparser/xml/CoreParser.java (https://lists.apache.org/thread.html/r26c996b068ef6c5e89aa59acb769025cfd343a08e63fbe9e7f3f720f@%3Coak-issues.jackrabbit.apache.org%3E)
Miscellaneous
https://twitter.com/ApacheSolr/status/918731485611401216
https://twitter.com/searchtools_avi/status/918904813613543424
http://openwall.com/lists/oss-security/2017/10/13/1
https://twitter.com/joshbressers/status/919258716297420802

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis