Security Bulletin
Summary
IBM InfoSphere BigInsights 4.2.5 is affected by an Open Source (Solr) vulnerabilty (CVE-2017-12629)
Vulnerability Details
CVE-ID: CVE-2017-12629
Description: Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr.
CVSS Base Score: 9.8
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/133524 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
|
Principal Product and Version(s) | Affected Supporting Product and Version |
| IBM BigInsights 4.2.5 | IBM Open Platform 4.2.5 |
Workarounds and Mitigations
All Solr users are advised to restart their Solr instances with the system parameter `-Ddisable.configEdit=true`. This will disallow any changes otherwise made to configurations via the Config API. This is a key factor in this vulnerability since it allows GET requests to add the RunExecutableListener to the config. This workaround is sufficient to protect from this type of attack but means you cannot use the edit capabilities of the Config API until further fixes are in place. Additionally, the XML Query Parser should be mapped to a different class to ensure that it cannot be accessed through other attack vectors.
Disabling the Config Edit API
Ambari Infra Solr
1 Navigate to the Ambari Web UI and select the Ambari Infra service.
2 Expand the Advanced infra-solr-env configuration section.
3 Locate the infra-solr-env template property and scroll to the area of the template where the SOLR_OPTS variable is configured.
4 Add the following line after the last commented line referencing SOLR_OPTS:
SOLR_OPTS="$SOLR_OPTS -Ddisable.configEdit=true"
5 Save this version of the configuration and restart the Infra Solr Instance
HDP Search
1 Navigate to the Ambari Web UI and select the Solr service.
2 Expand the Advanced solr-config-env configuration section.
3 Locate the solr.in.sh template property and scroll to the area of the template where the SOLR_OPTS variable is configured.
4 Add the following line after the last commented line referencing SOLR_OPTS:
SOLR_OPTS="$SOLR_OPTS -Ddisable.configEdit=true"
5 Save this version of the configuration and restart the Solr
Disabling the xmlparser Query Parser For Each Solr Collection managed by Ambari Infra
Ranger
1 Navigate to the Ambari Web UI and select the Ranger service.
2 Expand the Advanced ranger-solr-configuration configuration section.
3 Locate the solr-config template property and scroll to the area of the template where the <queryParser/> XML tags are referenced.
4 Add the following line in an uncommented area of this template. An uncommented area is in an area that is not surrounded by <!-- and --> tags:
<queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" />
5 Save this version of the configuration and restart the Ranger Admin
Atlas
1 Navigate to the Ambari Web UI and select the Atlas service.
2 Expand the Advanced atlas-solrconfig configuration section.
3 Scroll to the area of the template where the <queryParser/> XML tags are referenced.
4 Add the following line in an uncommented area of this template. An uncommented area is in an area that is not surrounded by <!-- and --> tags:
<queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" />
5 Save this version of the configuration and restart the Atlas Metadata Server
Log Search
1 Navigate to the Ambari Web UI and select the Log Search service.
2 Expand the Advanced logsearch-audit_logs-solrconfig configuration section.
3 Locate the Solrconfig template property and scroll to the area of the template where the <queryParser/> XML tags are referenced.
4 Scroll to the area of the template where the <queryParser/> XML tags are referenced.
5 Add the following line in an uncommented area of this template. An uncommented area is in an area that is not surrounded by <!-- and --> tags:
<queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" />
6 Expand the Advanced logsearch-service_logs-solrconfig configuration section.
7 Locate the solrconfig template property and scroll to the area of the template where the <queryParser/> XML tags are referenced.
8 Scroll to the area of the template where the <queryParser/> XML tags are referenced.
9 Add the following line in an uncommented area of this template. An uncommented area is in an area that is not surrounded by <!-- and --> tags:
<queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" />
10 Save this version of the configuration and restart the Log Search Server
Note: If using custom collections in HDP Search for your own use cases, please ensure the same queryParser changes are made to each collection you’ve created.
Get Notified about Future Security Bulletins
References
Change History
30 November 2017: Original Version Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
18 July 2020
UID
swg22010462