Security Bulletin: IBM InfoSphere BigInsights 4.2.5 is affected by an Open Source (Solr) vulnerabilty (CVE-2017-12629)

Summary

IBM InfoSphere BigInsights 4.2.5 is affected by an Open Source (Solr) vulnerabilty (CVE-2017-12629)

Vulnerability Details

CVE-ID: CVE-2017-12629
Description: Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr.
CVSS Base Score: 9.8
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/133524 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Principal Product and Version(s)

| Affected Supporting Product and Version
—|—
IBM BigInsights 4.2.5| IBM Open Platform 4.2.5

Workarounds and Mitigations

All Solr users are advised to restart their Solr instances with the system parameter -Ddisable.configEdit=true. This will disallow any changes otherwise made to configurations via the Config API. This is a key factor in this vulnerability since it allows GET requests to add the RunExecutableListener to the config. This workaround is sufficient to protect from this type of attack but means you cannot use the edit capabilities of the Config API until further fixes are in place. Additionally, the XML Query Parser should be mapped to a different class to ensure that it cannot be accessed through other attack vectors.

Disabling the Config Edit API Ambari Infra Solr
1 Navigate to the Ambari Web UI and select the Ambari Infra service.
2 Expand the Advanced infra-solr-envconfiguration section.
3 Locate the infra-solr-env template property and scroll to the area of the template where the SOLR_OPTS variable is configured.
4 Add the following line after the last commented line referencing SOLR_OPTS:
SOLR_OPTS=“$SOLR_OPTS -Ddisable.configEdit=true”
5 Save this version of the configuration and restart the Infra Solr Instance

HDP Search
1 Navigate to the Ambari Web UI and select the Solr service.
2 Expand the Advanced solr-config-envconfiguration section.
3 Locate the solr.in.sh template property and scroll to the area of the template where the SOLR_OPTS variable is configured.
4 Add the following line after the last commented line referencing SOLR_OPTS:
SOLR_OPTS=“$SOLR_OPTS -Ddisable.configEdit=true”
5 Save this version of the configuration and restart the Solr

Disabling the xmlparser Query Parser For Each Solr Collection managed by Ambari Infra Ranger
1 Navigate to the Ambari Web UI and select the Ranger service.
2 Expand the Advanced ranger-solr-configurationconfiguration section.
3 Locate the solr-config template property and scroll to the area of the template where the <queryParser/> XML tags are referenced.
4 Add the following line in an uncommented area of this template. An uncommented area is in an area that is not surrounded by <!-- and –> tags:
<queryParser name=“xmlparser” class=“solr.ExtendedDismaxQParserPlugin” />
5 Save this version of the configuration and restart the Ranger Admin

Atlas
1 Navigate to the Ambari Web UI and select the Atlas service.
2 Expand the Advanced atlas-solrconfigconfiguration section.
3 Scroll to the area of the template where the <queryParser/> XML tags are referenced.
4 Add the following line in an uncommented area of this template. An uncommented area is in an area that is not surrounded by <!-- and –> tags:
<queryParser name=“xmlparser” class=“solr.ExtendedDismaxQParserPlugin” />
5 Save this version of the configuration and restart the Atlas Metadata Server

Log Search
1 Navigate to the Ambari Web UI and select the Log Search service.
2 Expand the Advanced logsearch-audit_logs-solrconfigconfiguration section.
3 Locate the Solrconfig template property and scroll to the area of the template where the <queryParser/> XML tags are referenced.
4 Scroll to the area of the template where the <queryParser/> XML tags are referenced.
5 Add the following line in an uncommented area of this template. An uncommented area is in an area that is not surrounded by <!-- and –> tags:
<queryParser name=“xmlparser” class=“solr.ExtendedDismaxQParserPlugin” />
6 Expand the Advanced logsearch-service_logs-solrconfigconfiguration section.
7 Locate the solrconfig template property and scroll to the area of the template where the <queryParser/> XML tags are referenced.
8 Scroll to the area of the template where the <queryParser/> XML tags are referenced.
9 Add the following line in an uncommented area of this template. An uncommented area is in an area that is not surrounded by <!-- and –> tags:
<queryParser name=“xmlparser” class=“solr.ExtendedDismaxQParserPlugin” />
10 Save this version of the configuration and restart the Log Search Server

Note: If using custom collections in HDP Search for your own use cases, please ensure the same queryParser changes are made to each collection you’ve created.