CVE-2021-29943.md
2.34 KB / 2021-07-04 19:32:24
## CVE-2021-29943: 数据集读写漏洞
Hadoop集群中使用ConfigurableInternodeAuthHadoopPlugin进行身份验证时,在8.8.2之前的Apache Solr版本将使用服务器凭据而不是原始客户端凭据转发/代理分布式请求。
这将导致接收主机上的授权解析不正确,导致未授权的攻击者可以利用服务端错误的解析实现数据集的读写。
### 漏洞等级: 高危
### 影响版本 7.0.0 to 7.7.3 8.0.0 to 8.8.1
### POC
从补丁中分析,可以从test case中得到POC,实际上就是正常的请求/admin/authorization接口可以未授权进行数据集读写
```
@After
@Override
public void tearDown() throws Exception {
if (shouldRestorePerms) {
String command = "{ set-permission: { name: read, role: admin, before: 2 } }";
GenericSolrRequest req = new GenericSolrRequest(SolrRequest.METHOD.POST, "/admin/authorization", new ModifiableSolrParams());
req.setContentWriter(new RequestWriter.StringPayloadContentWriter(command, "application/json"));
req.process(cluster.getSolrClient());
}
super.tearDown();
}
@Test
public void testUnauthorized() throws IOException, SolrServerException {
// Update the permissions to remove admin:read authz
String command = "{ delete-permission: 1 }";
GenericSolrRequest req = new GenericSolrRequest(SolrRequest.METHOD.POST, "/admin/authorization", new ModifiableSolrParams());
req.setContentWriter(new RequestWriter.StringPayloadContentWriter(command, "application/json"));
req.process(cluster.getSolrClient());
shouldRestorePerms = true;
// Try against each node
for (JettySolrRunner jsr : cluster.getJettySolrRunners()) {
try (SolrClient client = new HttpSolrClient.Builder().withBaseSolrUrl(jsr.getBaseUrl().toString()).build()) {
BaseHttpSolrClient.RemoteSolrException e = assertThrows(BaseHttpSolrClient.RemoteSolrException.class,
() -> client.query(collectionName, new SolrQuery("*:*")));
assertEquals(403, e.code());
}
}
}
```
### 修复方式:
升级到8.8.2版本 或者打补丁 https://issues.apache.org/jira/secure/attachment/13023260/0001-SOLR-15233-Add-negative-test-case-for-KRB-Authz.patch
### 参考:
- https://github.com/apache/solr-site/blob/a8632c75e40af6694a7ed29996c90b6b7fcf01bf/content/solr/security/2021-04-12-cve-2021-29943.md