CVE-2017-7660
Description
Apache Solr uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that does not exist as part of the cluster and point it to a malicious node. This can trick the nodes in cluster to believe that the malicious node is a member of the cluster. So, if Solr users have enabled BasicAuth authentication mechanism using the BasicAuthPlugin or if the user has implemented a custom Authentication plugin, which does not implement either "HttpClientInterceptorPlugin" or "HttpClientBuilderPlugin", his/her servers are vulnerable to this attack. Users who only use SSL without basic authentication or those who use Kerberos are not affected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.solr:solr-coreMaven | >= 5.3.0, < 5.5.5 | 5.5.5 |
org.apache.solr:solr-coreMaven | >= 6.0.0, < 6.6.0 | 6.6.0 |
Affected products
23cpe:2.3:a:apache:solr:5.3.0:*:*:*:*:*:*:*+ 20 more
- cpe:2.3:a:apache:solr:5.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:5.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:5.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:5.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:5.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:5.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:5.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:5.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:5.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:5.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:6.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:6.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:6.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:6.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:6.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:6.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:6.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:6.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:solr:6.5.1:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
8- mail-archives.us.apache.org/mod_mbox/www-announce/201707.mbox/%3CCAOOKt53EgrybaD%2BiSn-nBbvFdse-szhg%3DhMoDZuvUvyMme-Z%3Dg%40mail.gmail.com%3EnvdMailing ListVendor Advisory
- www.securityfocus.com/bid/99485nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-c82r-qg3w-q5mvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-7660ghsaADVISORY
- issues.apache.org/jira/browse/SOLR-10624ghsaWEB
- lists.apache.org/thread/o0g7vpz5sz4yy0pyf1z94vkpv40x6h44ghsaWEB
- security.netapp.com/advisory/ntap-20181127-0003ghsaWEB
- security.netapp.com/advisory/ntap-20181127-0003/nvd
News mentions
0No linked articles in our index yet.