| Vulnerability Name: | CVE-2019-17558 (CCN-173628) |
| Assigned: | 2019-12-30 |
| Published: | 2019-12-30 |
| Updated: | 2022-02-20 |
| Summary: | Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset `velocity/` directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting `params.resource.loader.enabled` by defining a response writer with that setting set to `true`. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is `trusted` (has been uploaded by an authenticated user).
|
| CVSS v3 Severity: | 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
7.0 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C)| Exploitability Metrics: | Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None | | Scope: | Scope (S): Unchanged
| | Impact Metrics: | Confidentiality (C): High
Integrity (I): High
Availibility (A): High |
9.8 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
9.1 Critical (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C)| Exploitability Metrics: | Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None | | Scope: | Scope (S): Unchanged
| | Impact Metrics: | Confidentiality (C): High
Integrity (I): High
Availibility (A): High |
|
| CVSS v2 Severity: | 4.6 Medium (CVSS v2 Vector: AV:N/AC:H/Au:S/C:P/I:P/A:P)| Exploitability Metrics: | Access Vector (AV): Network
Access Complexity (AC): High
Authentication (Au): Single_Instance | | Impact Metrics: | Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial |
10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)| Exploitability Metrics: | Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
| | Impact Metrics: | Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete |
|
| Vulnerability Type: | CWE-74
|
| Vulnerability Consequences: | Gain Access |
| References: | Source: MITRE
Type: CNA
CVE-2019-17558
Source: MISC
Type: Exploit, Third Party Advisory, VDB Entry
http://packetstormsecurity.com/files/157078/Apache-Solr-8.3.0-Velocity-Template-Remote-Code-Execution.html
Source: XF
Type: UNKNOWN
apache-cve201917558-code-exec(173628)
Source: MISC
Type: Exploit, Issue Tracking, Patch, Vendor Advisory
https://issues.apache.org/jira/browse/SOLR-13971
Source: MLIST
Type: Mailing List, Vendor Advisory
[lucene-issues] 20200113 [GitHub] [lucene-solr] Sachpat commented on issue #1156: SOLR-13971: CVE-2019-17558: Velocity custom template RCE vulnerability
Source: MLIST
Type: Mailing List, Patch, Vendor Advisory
[lucene-issues] 20200113 [jira] [Commented] (SOLR-14025) CVE-2019-17558: Velocity response writer RCE vulnerability persists after 8.3.1
Source: MLIST
Type: Mailing List, Patch, Vendor Advisory
[lucene-dev] 20200214 Re: 7.7.3 bugfix release
Source: MLIST
Type: Mailing List, Vendor Advisory
[druid-commits] 20210324 [GitHub] [druid] jihoonson opened a new pull request #11030: Suppress cves
Source: MLIST
Type: Mailing List, Vendor Advisory
[lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1
Source: MLIST
Type: Mailing List, Vendor Advisory
[lucene-issues] 20200113 [GitHub] [lucene-solr] Sachpat closed pull request #1156: SOLR-13971: CVE-2019-17558: Velocity custom template RCE vulnerability
Source: MLIST
Type: Mailing List, Vendor Advisory
[lucene-dev] 20200213 Re: 7.7.3 bugfix release
Source: MLIST
Type: Mailing List, Vendor Advisory
[lucene-issues] 20200108 [GitHub] [lucene-solr] Sachpat opened a new pull request #1156: SOLR-13971
Source: MLIST
Type: Mailing List, Vendor Advisory
[lucene-issues] 20200108 [GitHub] [lucene-solr] Sachpat commented on a change in pull request #1156: SOLR-13971: CVE-2019-17558: Velocity custom template RCE vulnerability
Source: MLIST
Type: Mailing List, Vendor Advisory
[lucene-issues] 20200108 [GitHub] [lucene-solr] Sachpat commented on issue #1156: SOLR-13971: CVE-2019-17558: Velocity custom template RCE vulnerability
Source: MLIST
Type: Mailing List, Vendor Advisory
[lucene-solr-user] 20210213 Re: CVE-2019-17558 on SOLR 6.1
Source: MLIST
Type: Mailing List, Vendor Advisory
[lucene-solr-user] 20210203 Re: SolrCloud keeps crashing
Source: MLIST
Type: Mailing List, Vendor Advisory
[lucene-solr-user] 20210212 CVE-2019-17558 on SOLR 6.1
Source: MLIST
Type: Mailing List, Vendor Advisory
[lucene-issues] 20210315 [GitHub] [lucene-solr] erikhatcher commented on pull request #1156: SOLR-13971: CVE-2019-17558: Velocity custom template RCE vulnerability
Source: MLIST
Type: Mailing List, Vendor Advisory
[lucene-issues] 20210210 [GitHub] [lucene-solr] rhtham commented on pull request #1156: SOLR-13971: CVE-2019-17558: Velocity custom template RCE vulnerability
Source: MLIST
Type: Mailing List, Vendor Advisory
[lucene-solr-user] 20210212 Re: CVE-2019-17558 on SOLR 6.1
Source: MLIST
Type: Mailing List, Vendor Advisory
[lucene-issues] 20200108 [jira] [Commented] (SOLR-13971) CVE-2019-17558: Velocity custom template RCE vulnerability
Source: MLIST
Type: Mailing List, Vendor Advisory
[lucene-issues] 20200113 [GitHub] [lucene-solr] chatman commented on issue #1156: SOLR-13971: CVE-2019-17558: Velocity custom template RCE vulnerability
Source: MLIST
Type: Mailing List, Vendor Advisory
[lucene-issues] 20200108 [jira] [Updated] (SOLR-14025) CVE-2019-17558: Velocity response writer RCE vulnerability persists after 8.3.1
Source: MLIST
Type: Mailing List, Vendor Advisory
[lucene-issues] 20200219 [jira] [Updated] (SOLR-14025) CVE-2019-17558: Velocity response writer RCE vulnerability persists after 8.3.1
Source: MLIST
Type: Mailing List, Patch, Vendor Advisory
[lucene-issues] 20200107 [jira] [Commented] (SOLR-13971) CVE-2019-17558: Velocity custom template RCE vulnerability
Source: MLIST
Type: Mailing List, Vendor Advisory
[submarine-commits] 20201209 [GitHub] [submarine] QiAnXinCodeSafe opened a new issue #474: There is a vulnerability in Apache Solr 5.5.4,upgrade recommended
Source: MLIST
Type: Mailing List, Vendor Advisory
[ambari-issues] 20200220 [jira] [Created] (AMBARI-25482) solr dependence CVE-2019-17558
Source: MLIST
Type: Mailing List, Vendor Advisory
[lucene-issues] 20210210 [GitHub] [lucene-solr] rhtham edited a comment on pull request #1156: SOLR-13971: CVE-2019-17558: Velocity custom template RCE vulnerability
Source: MLIST
Type: Mailing List, Vendor Advisory
[lucene-solr-user] 20200320 Re: CVEs (vulnerabilities) that apply to Solr 8.4.1
Source: MLIST
Type: Mailing List, Vendor Advisory
[lucene-issues] 20200108 [GitHub] [lucene-solr] artem-smotrakov commented on a change in pull request #1156: SOLR-13971: CVE-2019-17558: Velocity custom template RCE vulnerability
Source: CCN
Type: Apache Web site
Apache Solr
Source: CCN
Type: Packet Storm Security [04-03-2020]
Apache Solr 8.3.0 Velocity Template Remote Code Execution
Source: CCN
Type: oss-sec Mailing List, Mon, 30 Dec 2019 08:11:44 -0500
[CVE-2019-17558] Apache Solr RCE through VelocityResponseWriter
Source: CCN
Type: CYBERSECURITY & INFRASTRUCTURE SECURITY AGENCY
KNOWN EXPLOITED VULNERABILITIES CATALOG
Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [04-16-2020]
Source: CCN
Type: IBM Security Bulletin 6174129 (Cloud Pak for Data)
Possible remote code execution vulnerability in Watson Knowledge Catalog for IBM Cloud Pak for Data
Source: CCN
Type: IBM Security Bulletin 6208129 (InfoSphere Information Server)
Multiple vulnerabilities in Apache Solr (lucene) affect IBM InfoSphere Information Server
Source: CCN
Type: IBM Security Bulletin 6445363 (Log Analysis)
Vulnerability in Apache Solr affects IBM Operations Analytics - Log Analysis (CVE-2019-17558)
Source: CCN
Type: Oracle CPUOct2020
Oracle Critical Patch Update Advisory - October 2020
Source: MISC
Type: Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html
Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2019-17558
|
| Vulnerable Configuration: | Configuration 1:
cpe:/a:apache:solr:*:*:*:*:*:*:*:* (Version >= 5.0.0 and <= 8.3.1)
Configuration 2:
cpe:/a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*OR cpe:/a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*OR cpe:/a:oracle:primavera_unifier:*:*:*:*:*:*:*:* (Version >= 17.7 and <= 17.12)OR cpe:/a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*OR cpe:/a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
Configuration CCN 1:
cpe:/a:apache:solr:5.0:*:*:*:*:*:*:*OR cpe:/a:apache:solr:8.3.1:*:*:*:*:*:*:*AND cpe:/a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*OR cpe:/a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*OR cpe:/a:oracle:primavera_unifier:17.12:*:*:*:*:*:*:*OR cpe:/a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*OR cpe:/a:ibm:cloud_pak_for_data:2.5:*:*:*:*:*:*:*OR cpe:/a:ibm:log_analysis:1.3.1:*:*:*:*:*:*:*OR cpe:/a:ibm:log_analysis:1.3.2:*:*:*:*:*:*:*OR cpe:/a:ibm:log_analysis:1.3.3:*:*:*:*:*:*:*OR cpe:/a:ibm:log_analysis:1.3.4:*:*:*:*:*:*:*OR cpe:/a:ibm:log_analysis:1.3.5:*:*:*:*:*:*:*OR cpe:/a:ibm:log_analysis:1.3.6:*:*:*:*:*:*:*
 Denotes that component is vulnerable |
| Oval Definitions |
|
| BACK |