7.5
CVSSv2

CVE-2017-12629

Published: 14/10/2017 Updated: 01/03/2018
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 756
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

Remote code execution occurs in Apache Solr prior to 7.1 with Apache Lucene prior to 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr.

Vulnerability Trend

Affected Products

Vendor Product Versions
ApacheSolr5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 6.0.0, 6.0.1, 6.1.0, 6.2.0, 6.2.1, 6.3.0, 6.4.0, 6.4.1, 6.4.2, 6.5.0, 6.5.1, 6.6.0, 6.6.1, 7.0.0, 7.0.1

Vendor Advisories

Synopsis Moderate: Red Hat JBoss Enterprise Application Platform 70 security update Type/Severity Security Advisory: Moderate Topic A security update is now available for Red Hat JBoss Enterprise ApplicationPlatform 7Red Hat Product Security has rated this update as having a security impact of Moderate A ...
Synopsis Moderate: Red Hat JBoss Enterprise Application Platform security update Type/Severity Security Advisory: Moderate Topic A security update is now available for Red Hat JBoss Enterprise ApplicationPlatform 7 for Red Hat Enterprise Linux 6 and 7Red Hat Product Security has rated this update as having ...
Synopsis Moderate: rh-java-common-lucene5 security update Type/Severity Security Advisory: Moderate Topic An update for rh-java-common-lucene5 is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scor ...
Synopsis Moderate: rh-java-common-lucene security update Type/Severity Security Advisory: Moderate Topic An update for rh-java-common-lucene is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scorin ...
Synopsis Important: Red Hat JBoss Data Grid 711 security update Type/Severity Security Advisory: Important Topic Red Hat JBoss Data Grid 711 is now available for download from the Customer PortalRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerabil ...
Debian Bug report logs - #867712 lucene-solr: CVE-2017-3163 Package: src:lucene-solr; Maintainer for src:lucene-solr is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 8 Jul 2017 20:51:01 UTC Severity: important Tags: security, ...
Two vulnerabilities have been found in Solr, a search server based on Lucene, which could result in the execution of arbitrary code or path traversal For the oldstable distribution (jessie), these problems have been fixed in version 362+dfsg-5+deb8u1 For the stable distribution (stretch), these problems have been fixed in version 362+dfsg-10+ ...
Synopsis Important: Red Hat JBoss Enterprise Application Platform 709 security update on RHEL 7 Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 70 for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as ...
Synopsis Important: Red Hat JBoss Enterprise Application Platform 709 security update on RHEL 6 Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 70 for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as ...
It was found that Apache Lucene would accept an object from an unauthenticated user that could be manipulated through subsequent post requests An attacker could use this flaw to assemble an object that could permit execution of arbitrary code if the server enabled Apache Solr's Config API ...
Synopsis Important: eap7-jboss-ec2-eap security update Type/Severity Security Advisory: Important Topic An update for eap7-jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 70 for Red Hat Enterprise Linux 6 and Red Hat JBoss Enterprise Application Platform 70 for Red Hat Ent ...
Synopsis Important: Red Hat JBoss Enterprise Application Platform 709 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application PlatformRed Hat Product Security has rated this update as having a security impact of Important A Com ...

Exploits

First Vulnerability: XML External Entity Expansion (deftype=xmlparser) Lucene includes a query parser that is able to create the full-spectrum of Lucene queries, using an XML data structure Starting from version 51 Solr supports "xml" query parser in the search query The problem is that lucene xml parser does not explicitly prohibit doctype d ...

Github Repositories

nagios,zabbix,solr等平台一些漏洞的实现 Nagios core(CVE-2016-9565) Apache Solr XXE(CVE-2017-12629) Apache Solr RCE(CVE-2017-12629) Zabbix RCE (CVE-2017-2824) Zabbix 20 SQL Injection 漏洞的搭建、分析与exploit

Apache Solr Injection Research Table of Contents Introduction Solr API quick overview Apache Solr Injection Solr Parameters Injection (HTTP smuggling) Exploitation examples Solr Local Parameters Injection Ways to RCE [CVE-2017-12629] Remote Code Execution via RunExecutableListener [CVE-2019-0192] Deserialization of untrusted data via jmxserviceUrl Attack via deseriali

ActiveScan++ ActiveScan++ extends Burp Suite's active and passive scanning capabilities Designed to add minimal network overhead, it identifies application behaviour that may be of interest to advanced testers: Potential host header attacks (password reset poisoning, cache poisoning, DNS rebinding) Edge Side Includes XML input handling Suspicious input transformation (eg

我的漏洞复现记录(持续更新中) CVE-NO STATUS RESULT REFERENCE 中间件漏洞 Tomcat 7086 CVE-2016-5003 FINISH FAIL 0ang3elblogspotru/2016/07/beware-of-ws-xmlrpc-library-in-yourhtml CVE-2016-5002 FINISH PASS 0ang3elblogspotru/2016/07/beware-of-ws-xmlrpc-library-in-yourhtml 8036 CVE-2016-8735 FINISH PASS gv7me/articles

Recent Articles

Coinminer Campaigns Target Redis, Apache Solr, and Windows Servers
BleepingComputer • Catalin Cimpanu • 10 Mar 2018

Windows Server, Apache Solr, and Redis servers have been targeted this week by cyber-criminals looking to take over unpatched machines and install malware that mines cryptocurrency (known as a coinminer).
Two separate campaigns have been spotted, both very active this week. One by the Imperva crew, targeting Redis and Windows Servers, and another by the ISC SANS team, targeting Apache Solr installations.
The most active of the two was a campaign that Imperva nicknamed RedisWannaMine....