Vulners
Lucene search
Apache Solar 5.5.4 / 6.5.1 Member Spoofing Vulnerability
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | Security Bulletin: CVE-2017-7660: Security Vulnerability in secure inter-node communication in Apache Solr | 29 Sep 201820:22 | – | ibm |
 | Apache Solr Security Bypass Vulnerability | 10 Jul 201700:00 | – | cnvd |
 | CVE-2017-7660 | 7 Jul 201719:00 | – | cve |
 | CVE-2017-7660 | 7 Jul 201719:00 | – | cvelist |
 | CVE-2017-7660 | 7 Jul 201719:00 | – | debiancve |
 | EUVD-2022-3531 | 3 Oct 202520:07 | – | euvd |
 | Apache Solr insecure inter-node communication | 14 May 202201:56 | – | github |
 | CVE-2017-7660 | 7 Jul 201719:29 | – | nvd |
 | Apache Solr Inter-Node Communication Vulnerability (SOLR-10624) - Linux | 10 Jul 201700:00 | – | openvas |
| Apache Solr Inter-Node Communication Vulnerability (SOLR-10624) - Windows | 10 Jul 201700:00 | – | openvas |
10
CVE-2017-7660: Security Vulnerability in secure inter-node
communication in Apache Solr
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Solr 5.3 to 5.5.4
Solr 6.0 to 6.5.1
Description:
Solr uses a PKI based mechanism to secure inter-node communication
when security is enabled. It is possible to create a specially crafted
node name that does not exist as part of the cluster and point it to a
malicious node. This can trick the nodes in cluster to believe that
the malicious node is a member of the cluster. So, if Solr users have
enabled BasicAuth authentication mechanism using the BasicAuthPlugin
or if the user has implemented a custom Authentication plugin, which
does not implement either "HttpClientInterceptorPlugin" or
"HttpClientBuilderPlugin", his/her servers are vulnerable to this
attack. Users who only use SSL without basic authentication or those
who use Kerberos are not affected.
Mitigation:
6.x users should upgrade to 6.6
5.x users should obtain the latest source from git and apply this patch:
http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/2f5ecbcf
Credit:
This issue was discovered by Noble Paul of Lucidworks Inc.
References:
https://issues.apache.org/jira/browse/SOLR-10624
https://wiki.apache.org/solr/SolrSecurity
--
The Lucene PMC
# 0day.today [2018-01-08] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Jul 2017 00:00Current
7.5High risk
Vulners AI Score7.5
EPSS0.00335