Malware Devil

Loading...

Monday, August 17, 2020

ESB-2020.2820 – [Debian] lucene-solr: Multiple vulnerabilities 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2820
                        lucene-solr security update
                              17 August 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           lucene-solr
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Denial of Service               -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-0193  

Reference:         ESB-2019.3803

Original Bulletin: 
   https://www.debian.org/lts/security/2020/dla-2327

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -----------------------------------------------------------------------
Debian LTS Advisory DLA-2327-1               debian-lts@lists.debian.org
https://www.debian.org/lts/security/                     Markus Koschany
August 15, 2020                               htps://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : lucene-solr
Version        : 3.6.2+dfsg-10+deb9u3
CVE ID         : CVE-2019-0193

A security vulnerability was discovered in lucene-solr, an enterprise
search server.

The DataImportHandler, an optional but popular module to pull in data
from databases and other sources, has a feature in which the whole DIH
configuration can come from a request's "dataConfig" parameter. The
debug mode of the DIH admin screen uses this to allow convenient
debugging / development of a DIH config. Since a DIH config can contain
scripts, this parameter is a security risk. Starting from now on, use
of this parameter requires setting the Java System property
"enable.dih.dataConfigParam" to true. For example this can be achieved
with solr-tomcat by adding -Denable.dih.dataConfigParam=true to
JAVA_OPTS in /etc/default/tomcat8.

For Debian 9 stretch, this problem has been fixed in version
3.6.2+dfsg-10+deb9u3.

We recommend that you upgrade your lucene-solr packages.

For the detailed security status of lucene-solr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/lucene-solr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl84eJdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeQjABAAo3wHwe9idOyNv1JPZhrOj3bMeIm/GioWdz5EuVTaV/l6XKVDMxFS/DRW
13FZ6LH2A4lywj20BrUErTK8f1KqPQcJ4xbd5dkl9TSWv/xKmtPVDcEsT3oQXkI1
I2NjVcgp4jrTOaSHJjCZAj8uq0dV+/XUXbaVfRp84JEc0pXBQtVk/65TR3Qyu2Z1
4pSC62y2ogCfqwmJLof3xSDhYHNpFiGt5U301SsFd1p8ttYm9l1XaySC7kMnF3s/
pAknt39JzH5mzZ1pMTlq/zwSjzO6oHMG3I86TOIcch4lVqOt5mlvbQAnHnkZTqYy
kwJ2bTbTgKW8XLadIcWP6FsGDx5w1rRAR3dba47fdzH4+7p2E4QSePoz9qwFi7vf
rbpIUzL94SzmufVM/SIg9E0tO21vmArW/AgS0+X01dpGU/Y/T59nohlk37wIJ6au
yqEjgO5CtKTeDYnLl7tMaGVCF7ZvCcwubEbkdZn1h7G90dJmyRJZcHVEzI3FKGk3
bxMbLd+GKjelo4WJmvzMhAf0wfxKqP5UTGfTv95fSHDbtC/ZgfJxfcgQFVz/VrN0
NI5CckgSMvlNOijtEv1alSbpbo1gXYuqOVy9MOjGWA1GfusJOJJnNxb0SGbm+rJi
qW9engdXmFDjrO/biSgk0QoykDWdbEqitmSRWbTrz3gIjSySFTs=
=5Rgr
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXzny/uNLKJtyKPYoAQihlw//TEkDml3bmI8BOJwouoRkCvzRVrn3CLTv
gB7UNVyFGBgl0bWgdWCJg1rkUhYi8vu/wP/nqaeuCSVWNUYhtgBdlxzaGhuB4r0D
xs4/mWerpnU2jlwtiO3WffXby2bgSVLofPWY992dhgUcxANJ+/HP5uMPVTwtGZmJ
RzDSzk8Hfb4FTweZnWccIVAc49S1N3bWe0i/wnAXY3bY0AprvoY4rTiAtQl+EiW7
SVarhF21AkP9jbUg+xBzCGePG1HX9UIxuRNLbAFYx5Spq91XPhBRPhzmV0Px/Mam
ln9U5Yn2/+au7Jdqsc8nxSXGYQQgr13MFRO0+/IPVfPN7gv2cX3MUrmpAgTzmLa9
ynfi8W+kmXJ607bMv/xsNCDy9gzRmVF+ArQgy44ql07AFLZD+/c9YjbmXehhkWkV
d8OGFATmWIoWKyEL/soKOEjcU9X8FjRHIx51lE/kj85FEen39ueKlqyYNw3G05Cy
DaQ4p4KFtdMg4gUEcbOoubpNYealEiUiaRfFsdxErmLz/Fs8nUwt7Nmm7swXvto0
u2K4OzlEToAfFTQHR67Jj+0ReOJcAdybY5rSi88itYO8eHn6s3vdrl0Aa/Q70P1M
V6oiet5kbB1Ty99gFijTHW5p7mRUZo4i5apYjC6a+gduGCjV7FQKICFkQiv0RF4t
dKxLlxAO/ig=
=iXLp
-----END PGP SIGNATURE-----

Read More



https://www.malwaredevil.com/2020/08/17/esb-2020-2820-debian-lucene-solr-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-2820-debian-lucene-solr-multiple-vulnerabilities
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Barbary Pirates and Russian Cybercrime

In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...