Apache Solr recently patched multiple XXE injection vulnerabilities and a directory traversal vulnerability.
283241697730163df45a2dba0aa6828858f6868f3b33129bdabe8c4bbf74fba4
Hello,
Apache Solr is search platform edited by the Apache project. Quoting
http://lucene.apache.org/solr/:"its major features include powerful
full-text search, hit highlighting, faceted search, near real-time
indexing, dynamic clustering, database integration, rich document (e.g.,
Word, PDF) handling, and geospatial search".
Several vulnerabilities were fixed in recent versions of Solr:
- directory traversal when using XSLT or Velocity templates
(CVE-2013-6397 / SOLR-4882)
- XXE in UpdateRequestHandler (CVE-2013-6407 / SOLR-3895)
- XXE in DocumentAnalysisRequestHandler (CVE-2013-6408 / SOLR-4881)
These vulnerabilities were confirmed to be exploitable also on old
versions like 3.6.2. Gaining remote code execution is easy by combining
the directory traversal and XXE vulnerabilities.
If you wonder how these vulnerabilities could be exploited in real life
setups when Solr isn't reachable directly from the Internet, you may be
interested in the following blog post:
http://www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html
Cheers,
Nicolas Grégoire