Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.3069 Security Bulletin: IBM InfoSphere BigInsights 4.2.5 is affected by an Open Source (Solr) vulnerabilty (CVE-2017-12629) 1 December 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM InfoSphere BigInsights Publisher: IBM Operating System: Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-12629 Reference: ESB-2017.2943 ESB-2017.2832 ESB-2017.2656 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=swg22010462 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: IBM InfoSphere BigInsights 4.2.5 is affected by an Open Source (Solr) vulnerabilty (CVE-2017-12629) Security Bulletin Document information More support for: IBM BigInsights Open Source Tools Software version: 4.2.5 Operating system(s): Linux Reference #: 2010462 Modified date: 30 November 2017 Summary IBM InfoSphere BigInsights 4.2.5 is affected by an Open Source (Solr) vulnerabilty (CVE-2017-12629) Vulnerability Details CVE-ID: CVE-2017-12629 Description: Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr. CVSS Base Score: 9.8 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/133524 for more information CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Affected Products and Versions Principal Product and Version(s) Affected Supporting Product and Version IBM BigInsights 4.2.5 IBM Open Platform 4.2.5 Workarounds and Mitigations All Solr users are advised to restart their Solr instances with the system parameter `-Ddisable.configEdit=true`. This will disallow any changes otherwise made to configurations via the Config API. This is a key factor in this vulnerability since it allows GET requests to add the RunExecutableListener to the config. This workaround is sufficient to protect from this type of attack but means you cannot use the edit capabilities of the Config API until further fixes are in place. Additionally, the XML Query Parser should be mapped to a different class to ensure that it cannot be accessed through other attack vectors. Disabling the Config Edit API Ambari Infra Solr 1 Navigate to the Ambari Web UI and select the Ambari Infra service. 2 Expand the Advanced infra-solr-env configuration section. 3 Locate the infra-solr-env template property and scroll to the area of the template where the SOLR_OPTS variable is configured. 4 Add the following line after the last commented line referencing SOLR_OPTS: SOLR_OPTS="$SOLR_OPTS -Ddisable.configEdit=true" 5 Save this version of the configuration and restart the Infra Solr Instance HDP Search 1 Navigate to the Ambari Web UI and select the Solr service. 2 Expand the Advanced solr-config-env configuration section. 3 Locate the solr.in.sh template property and scroll to the area of the template where the SOLR_OPTS variable is configured. 4 Add the following line after the last commented line referencing SOLR_OPTS: SOLR_OPTS="$SOLR_OPTS -Ddisable.configEdit=true" 5 Save this version of the configuration and restart the Solr Disabling the xmlparser Query Parser For Each Solr Collection managed by Ambari Infra Ranger 1 Navigate to the Ambari Web UI and select the Ranger service. 2 Expand the Advanced ranger-solr-configuration configuration section. 3 Locate the solr-config template property and scroll to the area of the template where the <queryParser/> XML tags are referenced. 4 Add the following line in an uncommented area of this template. An uncommented area is in an area that is not surrounded by <!-- and --> tags: <queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" /> 5 Save this version of the configuration and restart the Ranger Admin Atlas 1 Navigate to the Ambari Web UI and select the Atlas service. 2 Expand the Advanced atlas-solrconfig configuration section. 3 Scroll to the area of the template where the <queryParser/> XML tags are referenced. 4 Add the following line in an uncommented area of this template. An uncommented area is in an area that is not surrounded by <!-- and --> tags: <queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" /> 5 Save this version of the configuration and restart the Atlas Metadata Server Log Search 1 Navigate to the Ambari Web UI and select the Log Search service. 2 Expand the Advanced logsearch-audit_logs-solrconfig configuration section. 3 Locate the Solrconfig template property and scroll to the area of the template where the <queryParser/> XML tags are referenced. 4 Scroll to the area of the template where the <queryParser/> XML tags are referenced. 5 Add the following line in an uncommented area of this template. An uncommented area is in an area that is not surrounded by <!-- and --> tags: <queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" /> 6 Expand the Advanced logsearch-service_logs-solrconfig configuration section. 7 Locate the solrconfig template property and scroll to the area of the template where the <queryParser/> XML tags are referenced. 8 Scroll to the area of the template where the <queryParser/> XML tags are referenced. 9 Add the following line in an uncommented area of this template. An uncommented area is in an area that is not surrounded by <!-- and --> tags: <queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" /> 10 Save this version of the configuration and restart the Log Search Server Note: If using custom collections in HDP Search for your own use cases, please ensure the same queryParser changes are made to each collection youve created. References Complete CVSS v3 Guide On-line Calculator v3 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 30 November 2017: Original Version Published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWiCsQ4x+lLeg9Ub1AQgcPg/9E3d5L+orFgZtMm4U/A9+r3XE17OljpDb /kVgzplAD7fJuGfbsJjdISyT68v2n1+28v+PZnY9QIt8DA29qt7uolMmfS5X9j3b WbCxPXwzHXAj/gDXEp8Obmkfc0rctmIqIYYPAUHBYegsGOyhIMZDtG2xbzK18wao asuoFwFrwbD7ajWkM0nqjGSIgfQjrBeI54qnfMPEaJk71OkSN+vO4lWbLa7QCi3P AMoI6z451K/V3doo1tbSoS2Y/wC0BYtxDfVEtlI+AXGEZXy6Vqwjq6BSK5PmygB+ KvSYjyA43NJqpNeS+ATA7ptSNc09XsDyiIRU5Z4bWKGQmEU0cS+RA9NB2fGrp+5W YIK+NoRvvGWfY76zPfV0XyL+DS0chULhJMpDxOiGDFqUAxf/1OLLrKnrEJEx5CX7 WAuNDPMJlUUfQr4kwO7oxk9Q2j3zir0gWJlXgA3pvM1jIqO5KyybsLQztxuKNJOv tOxoocSyoJCr8gwqABLxHFJapms/1otmkhN6pJp0cERdI8GLmBVrtFWtTnYYENMT rReXqAw3WbwFnivUIG59Ix0wtNrXEq+6YhD+Omt1Ty4vQmkX+5qNQFVot3piFbHV De9A0Ii2hmULsWpIZNp39MBCteTlJlm9L44IbSB0zem2UV2DGMehM7shdtjTftg0 Hi+zaDMiYEU= =sZhV -----END PGP SIGNATURE-----