Vulnerability Details : CVE-2017-12629
Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr.
Vulnerability category: XML external entity (XXE) injectionExecute code
Products affected by CVE-2017-12629
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-12629
97.43%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-12629
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2017-12629
-
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-12629
-
https://lists.apache.org/thread.html/r3da74965aba2b5f5744b7289ad447306eeb2940c872801819faa9314@%3Cusers.solr.apache.org%3E
Re: CVE-2021-27905 Apache Solr ReplicationHandler/SSRF vulnerability - Pony MailMailing List;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2017:3124
RHSA-2017:3124 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.apache.org/thread.html/r140128dc6bb4f4e0b6a39e962c7ca25a8cbc8e48ed766176c931fccc@%3Cusers.solr.apache.org%3E
Re: CVE-2021-27905 Apache Solr ReplicationHandler/SSRF vulnerability - Pony MailMailing List;Vendor Advisory
-
https://lists.debian.org/debian-lts-announce/2018/01/msg00028.html
[SECURITY] [DLA 1254-1] lucene-solr security updateMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:3123
RHSA-2017:3123 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.securityfocus.com/bid/101261
Apache Solr/Lucene CVE-2017-12629 Information Disclosure and Remote Code Execution VulnerabilitiesThird Party Advisory;VDB Entry
-
https://www.debian.org/security/2018/dsa-4124
Debian -- Security Information -- DSA-4124-1 lucene-solrThird Party Advisory
-
http://openwall.com/lists/oss-security/2017/10/13/1
oss-security - CVE-2017-12629 Solr: Code execution via entity expansionMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0004
RHSA-2018:0004 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.apache.org/thread.html/r95df34bb158375948da82b4dfe9a1b5d528572d586584162f8f5aeef@%3Cusers.solr.apache.org%3E
CVE-2021-27905 Apache Solr ReplicationHandler/SSRF vulnerability - Pony MailMailing List;Vendor Advisory
-
https://usn.ubuntu.com/4259-1/
USN-4259-1: Apache Solr vulnerability | Ubuntu security notices | UbuntuThird Party Advisory
-
https://twitter.com/searchtools_avi/status/918904813613543424
SearchTools_Avi on Twitter: "Lucidworks Fusion does not use the Solr’s Config API, to avoid the vulnerability, add the startup flag -Ddisable.configEdit=true"Third Party Advisory
-
http://mail-archives.us.apache.org/mod_mbox/www-announce/201710.mbox/%3CCAOOKt51UO_6Vy%3Dj8W%3Dx1pMbLW9VJfZyFWz7pAnXJC_OAdSZubA%40mail.gmail.com%3E
[ANNOUNCE] [SECURITY] CVE-2017-12629: Several critical vulnerabilities discovered in Apache Solr (XXE & RCE)Mailing List;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2017:3451
RHSA-2017:3451 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:3244
RHSA-2017:3244 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.apache.org/thread.html/r26c996b068ef6c5e89aa59acb769025cfd343a08e63fbe9e7f3f720f@%3Coak-issues.jackrabbit.apache.org%3E
[jira] [Created] (OAK-9537) Security vulnerability in org/apache/lucene/queryparser/xml/CoreParser.java - Pony MailMailing List;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2018:0003
RHSA-2018:0003 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:3452
RHSA-2017:3452 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://www.exploit-db.com/exploits/43009/
Apache Solr 7.0.1 - XML External Entity Expansion / Remote Code ExecutionExploit;Third Party Advisory;VDB Entry
-
https://s.apache.org/FJDl
Re: Several critical vulnerabilities discovered in Apache Solr (XXE & RCE)Exploit;Mailing List;Vendor Advisory
-
https://twitter.com/ApacheSolr/status/918731485611401216
Apache Solr on Twitter: "Please secure your #Solr servers since a zero-day exploit has been reported on a public mailing list -- see https://t.co/mFDvxrdm0T"Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0005
RHSA-2018:0005 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0002
RHSA-2018:0002 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://twitter.com/joshbressers/status/919258716297420802
Josh Bressers on Twitter: "I've had a number of people ask me about CVE-2017-12629. The lucene XXE issue doesn't affect Elasticsearch. https://t.co/9F1wsrtt6Q"Third Party Advisory
Jump to