Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config …
Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr.
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.
https://cwe.mitre.org/data/definitions/138.html →Open in CWE collection →The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
https://cwe.mitre.org/data/definitions/611.html →Open in CWE collection →An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
https://capec.mitre.org/data/definitions/15.html →Open in CAPEC collection →https://capec.mitre.org/data/definitions/34.html →Open in CAPEC collection →
https://capec.mitre.org/data/definitions/105.html →Open in CAPEC collection →
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.
https://capec.mitre.org/data/definitions/221.html →Open in CAPEC collection →| Product | Vendor | Status |
|---|---|---|
| eap7-activemq-artemis | Tracked | |
| eap7-activemq-artemis | Tracked | |
| eap7-hibernate | Tracked | |
| eap7-hibernate | Tracked | |
| eap7-ironjacamar | Tracked | |
| eap7-ironjacamar | Tracked | |
| eap7-jboss-ec2-eap | Tracked | |
| eap7-jboss-ec2-eap | Tracked | |
| eap7-jboss-remoting | Tracked | |
| eap7-jboss-remoting | Tracked | |
| eap7-jboss-xnio-base | Tracked | |
| eap7-jboss-xnio-base | Tracked | |
| eap7-jgroups | Tracked | |
| eap7-jgroups | Tracked | |
| eap7-lucene-solr | Tracked | |
| eap7-lucene-solr | Tracked | |
| eap7-resteasy | Tracked | |
| eap7-resteasy | Tracked | |
| eap7-undertow | Tracked | |
| eap7-undertow | Tracked |