====================================================================

                             CERT-Renater

                 Note d'Information No. 2019/VULN114

_____________________________________________________________________

DATE                : 25/04/2019

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Solr versions prior to 7.7.

=====================================================================
http://mail-archives.apache.org/mod_mbox/lucene-dev/201904.mbox/%3CCABVqxwCYodUFPHcR407OMiOSThCXyd3d+6xZz1ODGcyRTsznsQ@mail.gmail.com%3E
_____________________________________________________________________

CVE-2018-11802: Apache Solr authorization bug disclosure
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: Apache Solr 7.6 or less

Description:
jira  ticket : https://issues.apache.org/jira/browse/SOLR-12514
In apache Solr the cluster can be partitioned into multiple
collections and only a subset of nodes actually host any given
collection. However, if a node receives a request for a collection it
does not host, it proxies the request to a relevant node and serves
the request. Solr bypasses all authorization settings for such
requests. This affects all Solr versions that uses the default
authorization mechanism of Solr (RuleBasedAuthorizationPlugin)

Mitigation:
A fix is provided in Solr 7.7 version and upwards. If you use Solr's
authorization mechanism, please upgrade to a version newer than Solr
7.7.

Credit: This issue was discovered by Mahesh Kumar Vasanthu Somashekar.

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================