Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.8
CVSSv3

CVE-2017-12629

Published: 14/10/2017 Updated: 07/11/2023
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 757
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Apache

Vulnerability Summary

Remote code execution occurs in Apache Solr prior to 7.1 with Apache Lucene prior to 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache solr

redhat jboss_enterprise_application_platform 7.0.0

redhat jboss_enterprise_application_platform 7.1.0

debian debian linux 8.0

debian debian linux 7.0

debian debian linux 9.0

canonical ubuntu linux 16.04

Vendor Advisories

Debian CVElist Bug Report Logs: lucene-solr: CVE-2017-3163
Debian Bug report logs - #867712 lucene-solr: CVE-2017-3163 Package: src:lucene-solr; Maintainer for src:lucene-solr is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 8 Jul 2017 20:51:01 UTC Severity: important Tags: security, ...
Ubuntu Security Notice: Apache Solr vulnerability
Apache Solr could be made to run programs if it received specially crafted network traffic ...
Debian Security Advisories: DSA-4124-1 lucene-solr -- security update
Two vulnerabilities have been found in Solr, a search server based on Lucene, which could result in the execution of arbitrary code or path traversal For the oldstable distribution (jessie), these problems have been fixed in version 362+dfsg-5+deb8u1 For the stable distribution (stretch), these problems have been fixed in version 362+dfsg-10+ ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.0.9 security update on RHEL 6
Synopsis Important: Red Hat JBoss Enterprise Application Platform 709 security update on RHEL 6 Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 70 for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.0.9 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 709 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application PlatformRed Hat Product Security has rated this update as having a security impact of Important A Com ...
Red Hat: Important: Red Hat JBoss Data Grid 7.1.1 security update
Synopsis Important: Red Hat JBoss Data Grid 711 security update Type/Severity Security Advisory: Important Topic Red Hat JBoss Data Grid 711 is now available for download from the Customer PortalRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerabil ...
Red Hat: Critical: EAP Continuous Delivery Technical Preview Release 12 security update
Synopsis Critical: EAP Continuous Delivery Technical Preview Release 12 security update Type/Severity Security Advisory: Critical Topic This is a security update for JBoss EAP Continuous Delivery 120Red Hat Product Security has rated this update as having a security impact of Critical A Common Vulnerabil ...
Red Hat: Important: eap7-jboss-ec2-eap security update
Synopsis Important: eap7-jboss-ec2-eap security update Type/Severity Security Advisory: Important Topic An update for eap7-jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 70 for Red Hat Enterprise Linux 6 and Red Hat JBoss Enterprise Application Platform 70 for Red Hat Ent ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.0.9 security update on RHEL 7
Synopsis Important: Red Hat JBoss Enterprise Application Platform 709 security update on RHEL 7 Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 70 for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as ...
Red Hat: Moderate: rh-java-common-lucene5 security update
Synopsis Moderate: rh-java-common-lucene5 security update Type/Severity Security Advisory: Moderate Topic An update for rh-java-common-lucene5 is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scor ...
Red Hat: Moderate: rh-java-common-lucene security update
Synopsis Moderate: rh-java-common-lucene security update Type/Severity Security Advisory: Moderate Topic An update for rh-java-common-lucene is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scorin ...
Red Hat: Moderate: Red Hat JBoss Enterprise Application Platform 7.0 security update
Synopsis Moderate: Red Hat JBoss Enterprise Application Platform 70 security update Type/Severity Security Advisory: Moderate Topic A security update is now available for Red Hat JBoss Enterprise ApplicationPlatform 7Red Hat Product Security has rated this update as having a security impact of Moderate A ...
Red Hat: Critical: Red Hat Process Automation Manager 7.13.2 security update
Synopsis Critical: Red Hat Process Automation Manager 7132 security update Type/Severity Security Advisory: Critical Topic An update is now available for Red Hat Process Automation ManagerRed Hat Product Security has rated this update as having a security impact of Critical A Common Vulnerability Scoring System (CVSS) base score, which gi ...
Red Hat: Moderate: Red Hat JBoss Enterprise Application Platform security update
Synopsis Moderate: Red Hat JBoss Enterprise Application Platform security update Type/Severity Security Advisory: Moderate Topic A security update is now available for Red Hat JBoss Enterprise ApplicationPlatform 7 for Red Hat Enterprise Linux 6 and 7Red Hat Product Security has rated this update as having ...
Red Hat: CVE-2017-12629
It was found that Apache Lucene would accept an object from an unauthenticated user that could be manipulated through subsequent post requests An attacker could use this flaw to assemble an object that could permit execution of arbitrary code if the server enabled Apache Solr's Config API ...

Exploits

Exploit DB: Apache Solr 7.0.1 - XML External Entity Expansion / Remote Code Execution
First Vulnerability: XML External Entity Expansion (deftype=xmlparser) Lucene includes a query parser that is able to create the full-spectrum of Lucene queries, using an XML data structure Starting from version 51 Solr supports "xml" query parser in the search query The problem is that lucene xml parser does not explicitly prohibit doctype d ...

Github Repositories

https://github.com/p4d0rn/Siren

一款简单的Web漏洞扫描器(学习专用)

🎼Siren Intro Siren是一款简单(la ji)的Web漏洞扫描器(学习专用,作者的计网课设💦) Siren为古希腊神话中人首鸟身的女海妖🐟💃,以美妙歌声🎵诱使航海者驶向礁石或进入危险水域☠ 🤠在荷马史诗中,当奥德修斯将要经过塞壬所在海岛时,得到女神的忠告,预先采取了防备措施。他命

https://github.com/h1iba1/xray-poc-scan-engine

xray poc 扫描器

简介 xray poc 发生了一次改版。导致之前的poc引擎不能使用。正好之前工作做过这方面的工作,重新写了一版xray poc v2版本的poc解析工具。 xray v2版格式:docsxraycool/#/guide/poc/v2 特此开源出来,希望能和研究这方面技术的师傅多交流。 使用 编译 go build -x -ldflags "-s -w" -o xray_poc

https://github.com/cyberharsh/solr

Apache Solr 远程命令执行漏洞(CVE-2017-12629) 漏洞原理与分析可以参考: wwwexploit-dbcom/exploits/43009/ paperseebugorg/425/ Apache Solr 是一个开源的搜索服务器。Solr 使用 Java 语言开发,主要基于 HTTP 和 Apache Lucene 实现。原理大致是文档通过Http利用XML加到一个搜索集合中。查询该集合

https://github.com/tdwyer/PoC_CVE-2017-3164_CVE-2017-1262

Apache Solr Poc CVE-2017-3164 CVE-2017-12629

Apache Solr Poc CVE-2017-3164 CVE-2017-12629 This folder contains example exploits for Apache Solr CVE-2017-3164 CVE-2017-12629 To be use ONLY for education purposes and with full permission of the Apache Solr Server owner You will need to know the IP or DNS name of the Apache Solr server and the name of a Collection CVE-2017-3164 Server Side Request Forgery in Apache Solr, v

https://github.com/hanbufei/dddd

工具简介 dddd(带带弟弟),是一款支持多种输入格式,主/被动指纹识别且使用简单的供应链漏洞探测工具。协助红队人员快速收集信息,测绘目标资产,寻找薄弱点。支持从Hunter、Fofa批量拉取目标。 本工具有如下特点: 自动识别多种输入。支持域名、IP段、IP、URL、IP:Port、Domain:Port等

https://github.com/LinkleYping/Vulnerability-implementation

nagios,zabbix,solr等平台一些漏洞的实现

nagios,zabbix,solr等平台一些漏洞的实现 Nagios core(CVE-2016-9565) Apache Solr XXE(CVE-2017-12629) Apache Solr RCE(CVE-2017-12629) Zabbix RCE (CVE-2017-2824) Zabbix 20 SQL Injection 漏洞的搭建、分析与exploit

https://github.com/mustblade/solr_hacktool

solr_hacktool 没查找现成工具,心血来潮写了个小玩具,支持三个漏洞 1CVE-2017-12629-RCE(No echo) 2CVE-2017-12629-XXE 3CVE-2019-17558-RCE

References

CWE-611https://twitter.com/searchtools_avi/status/918904813613543424https://twitter.com/joshbressers/status/919258716297420802https://twitter.com/ApacheSolr/status/918731485611401216http://openwall.com/lists/oss-security/2017/10/13/1http://www.securityfocus.com/bid/101261https://www.exploit-db.com/exploits/43009/https://s.apache.org/FJDlhttp://mail-archives.us.apache.org/mod_mbox/www-announce/201710.mbox/%3CCAOOKt51UO_6Vy%3Dj8W%3Dx1pMbLW9VJfZyFWz7pAnXJC_OAdSZubA%40mail.gmail.com%3Ehttps://access.redhat.com/errata/RHSA-2017:3244https://access.redhat.com/errata/RHSA-2017:3124https://access.redhat.com/errata/RHSA-2017:3123https://access.redhat.com/errata/RHSA-2017:3452https://access.redhat.com/errata/RHSA-2017:3451https://access.redhat.com/errata/RHSA-2018:0005https://access.redhat.com/errata/RHSA-2018:0004https://access.redhat.com/errata/RHSA-2018:0003https://access.redhat.com/errata/RHSA-2018:0002https://lists.debian.org/debian-lts-announce/2018/01/msg00028.htmlhttps://www.debian.org/security/2018/dsa-4124https://usn.ubuntu.com/4259-1/https://lists.apache.org/thread.html/r95df34bb158375948da82b4dfe9a1b5d528572d586584162f8f5aeef%40%3Cusers.solr.apache.org%3Ehttps://lists.apache.org/thread.html/r140128dc6bb4f4e0b6a39e962c7ca25a8cbc8e48ed766176c931fccc%40%3Cusers.solr.apache.org%3Ehttps://lists.apache.org/thread.html/r3da74965aba2b5f5744b7289ad447306eeb2940c872801819faa9314%40%3Cusers.solr.apache.org%3Ehttps://lists.apache.org/thread.html/r26c996b068ef6c5e89aa59acb769025cfd343a08e63fbe9e7f3f720f%40%3Coak-issues.jackrabbit.apache.org%3Ehttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867712https://usn.ubuntu.com/4259-1/https://nvd.nist.govhttps://www.exploit-db.com/exploits/43009/
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27977IMAPlocal usersCVE-2024-32038CVE-2023-49963CVE-2023-22869CVE-2024-31497localCVE-2024-2961
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook