IBM Support

Hortonworks Data Platform for IBM Security Advisory: Critical Solr Vulnerability (CVE-2017-12629)

Flashes (Alerts)


Abstract

IBM Technical Support would like to make you aware of a potential issue that you may encounter. Below are the details. Please see and take action accordingly. (CVE-2017-12629)

Content

COMPONENT : Ambari Infra Solr (Ambari 2.4.x, Ambari 2.5.x), HDP Search (All Versions)
 
VERSION: Solr 5.5.x included in all versions of Ambari Infra, and HDP Search
 
REFERENCE: CVE-2017-12629
 
PROBLEM : An XML External Entity and Remote Code Execution vulnerability has been identified in Solr
 
IMPACT:  The CoreParser class in Lucene accepts doctype declaration and expands external entities. An attacker could use this flaw to bypass security restrictions and access sensitive data. Additionally, a vulnerable server which also used the RunExecutableListener class in Solr's Config API could allow for the construction of a malicious object that could then be used to gain direct access to the server and execute arbitrary code.
 
SOLUTION:  Until fixes are available, all Solr users are advised to restart their Solr instances with the system parameter `-Ddisable.configEdit=true`. This will disallow any changes otherwise made to configurations via the Config API. This is a key factor in this vulnerability since it allows GET requests to add the RunExecutableListener to the config. This workaround is sufficient to protect from this type of attack but means you cannot use the edit capabilities of the Config API until further fixes are in place.  Additionally, the XML Query Parser should be mapped to a different class to ensure that it cannot be accessed through other attack vectors.
 
Disabling the Config Edit API
Ambari Infra Solr

  1. Navigate to the Ambari Web UI and select the Ambari Infra service.
  2. Expand the Advanced infra-solr-env configuration section.
  3. Locate the infra-solr-env template property and scroll to the area of the template where the SOLR_OPTS variable is configured.
  4. Add the following line after the last commented line referencing SOLR_OPTS:
SOLR_OPTS="$SOLR_OPTS -Ddisable.configEdit=true"
  1. Save this version of the configuration and restart the Infra Solr Instance
 
HDP Search
  1. Navigate to the Ambari Web UI and select the Solr service.
  2. Expand the Advanced solr-config-env configuration section.
  3. Locate the solr.in.sh template property and scroll to the area of the template where the SOLR_OPTS variable is configured.
  4. Add the following line after the last commented line referencing SOLR_OPTS:
SOLR_OPTS="$SOLR_OPTS -Ddisable.configEdit=true"
  1. Save this version of the configuration and restart the Solr
 
Disabling the xmlparser Query Parser For Each Solr Collection managed by Ambari Infra
Ranger
  1. Navigate to the Ambari Web UI and select the Ranger service.
  2. Expand the Advanced ranger-solr-configuration configuration section.
  3. Locate the solr-config template property and scroll to the area of the template where the <queryParser/> XML tags are referenced.
  4. Add the following line in an uncommented area of this template.  An uncommented area is in an area that is not surrounded by <!-- and --> tags:
<queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" />
  1. Save this version of the configuration and restart the Ranger Admin
 
Atlas
  1. Navigate to the Ambari Web UI and select the Atlas service.
  2. Expand the Advanced atlas-solrconfig configuration section.
  3. Scroll to the area of the template where the <queryParser/> XML tags are referenced.
  4. Add the following line in an uncommented area of this template.  An uncommented area is in an area that is not surrounded by <!-- and --> tags:
<queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" />
  1. Save this version of the configuration and restart the Atlas Metadata Server
 
Log Search
  1. Navigate to the Ambari Web UI and select the Log Search service.
  2. Expand the Advanced logsearch-audit_logs-solrconfig configuration section.
  3. Locate the Solrconfig template property and scroll to the area of the template where the <queryParser/> XML tags are referenced.
  4. Scroll to the area of the template where the <queryParser/> XML tags are referenced.
  5. Add the following line in an uncommented area of this template.  An uncommented area is in an area that is not surrounded by <!-- and --> tags:
<queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" />
  1. Expand the Advanced logsearch-service_logs-solrconfig configuration section.
  2. Locate the solrconfig template property and scroll to the area of the template where the <queryParser/> XML tags are referenced.
  3. Scroll to the area of the template where the <queryParser/> XML tags are referenced.
  4. Add the following line in an uncommented area of this template.  An uncommented area is in an area that is not surrounded by <!-- and --> tags:
<queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" />
  1. Save this version of the configuration and restart the Log Search Server
 
Note: If using custom collections in HDP Search for your own use cases, please ensure the same queryParser changes are made to each collection you’ve created.
 
For additional assistance please open a case with IBM Support.

[{"Product":{"code":"SSZDBA","label":"Hortonworks Data Platform for IBM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"Edition Independent","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
25 September 2022

UID

swg22011352

Page Feedback