IBM Support

Security Bulletin: CVE-2017-7660: Security Vulnerability in secure inter-node communication in Apache Solr

Created by Esther Prosperi on
Published URL:
https://www.ibm.com/support/pages/node/565973
565973

Security Bulletin


Summary

A potential security vulnerability has been identified for systems that are set up to use basic authentication. The version of Solr that is included with both IBM i2 Enterprise Insight Analysis and IBM i2 Analyze is affected, and has been patched in the latest fix pack.

Vulnerability Details

Solr uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that does not exist as part of the cluster and point it to a malicious node. This can trick the nodes in the cluster to believe that the malicious node is a member of the cluster.

If you have enabled the BasicAuth authentication mechanism using the BasicAuthPlugin, or implemented a custom Authentication plugin that does not implement either "HttpClientInterceptorPlugin" or "HttpClientBuilderPlugin", your servers are vulnerable to this attack. If you use SSL without basic authentication, or you use Kerberos, you will be unaffected.

Affected Products and Versions

Solr 5.3 to 5.5.4; Solr 6.0 to 6.5.1

Remediation/Fixes

To resolve this issue, upgrade to the latest fix pack for your deployment:

Get Notified about Future Security Bulletins

References

Off

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSXVXZ","label":"IBM i2 Enterprise Insight Analysis"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"2.1.5","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSXVTH","label":"i2 Analyze"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"4.1.4","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
29 September 2018

UID

swg22006809