SA-5

Document created by resplin Employee on Mar 13, 2015Last modified by resplin Employee on Oct 6, 2016
Version 2Show Document
  • View in full screen mode

Security Advisory 5


Date: 2012-04-26

Summary:  SOLR REST API allows unauthenticated access to repository contents

Related Issues: ALF-13721

Affects: 4.0

Fixed in: 4.0.1, with a hotfix available for 4.0.

An omission has been discovered that meant that HTTP access to repository APIs under the paths /alfresco/s/api/solr, /alfresco/wcservice/api/solr and /alfresco/wcs/api/solr were not protected by SOLR’s SSL certificate and could potentially be used by an unauthenticated user to retrieve information from the repository. This issue affects you whether or not you have configured and installed SOLR for search.

The issue is easily addressed by adding some XML to your web.xml. If you take a look at the web.xml file, you'll see a security-constraint element that matches on the '/service/api/solr' pattern. The issue is that the web script is accessible via several other patterns not covered by existing security constraints.


  <security-constraint>
     <web-resource-collection>
        <web-resource-name>SOLR</web-resource-name>
        <url-pattern>/service/api/solr/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
        <role-name>repoclient</role-name>
     </auth-constraint>
     <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
  </security-constraint>


You can plug the hole yourself by adding the following additional security constraints:


  <security-constraint>
     <web-resource-collection>
        <web-resource-name>SOLR</web-resource-name>
        <url-pattern>/s/api/solr/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
        <role-name>repoclient</role-name>
     </auth-constraint>
     <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
  </security-constraint>
  <security-constraint>
     <web-resource-collection>
        <web-resource-name>SOLR</web-resource-name>
        <url-pattern>/wcservice/api/solr/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
        <role-name>repoclient</role-name>
     </auth-constraint>
     <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
  </security-constraint>
  <security-constraint>
     <web-resource-collection>
        <web-resource-name>SOLR</web-resource-name>
        <url-pattern>/wcs/api/solr/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
        <role-name>repoclient</role-name>
     </auth-constraint>
     <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
  </security-constraint>


Security Advisories

1 person found this helpful

Attachments

    Outcomes