LUMADA

Customer Portal

Introducing Lumada DataOps Suite

Innovate with Data: Lumada simplifies data management with automation and collaboration.

With Lumada, you can: Gain 360-degree views of your customers, products and assets.

Streamline your business operations and take out cost, and meet stringent compliance demands.

CVE-2019-17558: Apache Solr Vulnerable to Remote Code Execution Zero-Day Vulnerability - Lumada Data Catalog Affected

Today's digital world requires constant vigilance. We wish to keep our valued Hitachi Vantara customers apprised of the very latest cybersecurity threats and vulnerabilities, and how they may affect your Hitachi products and solutions. When a new threat or vulnerability is identified, Hitachi Vantara immediately investigates its product lines to determine if any are affected.

CVSS Score: # 7.5 High

Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset velocity/ directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting params.resource.loader.enabled by defining a response writer with that setting set to true. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is trusted (has been uploaded by an authenticated user). Additional information can be found at Apache’s Issues site. The official CVE entry for this vulnerability can be found in the National Vulnerability Database.

Related CVE numbers fixed by remediation steps in are in the More Information column below: CVE-2019-17558

The information contained herein is for informational purposes only. It is not intended as a guaranty or warranty about Hitachi Vantara’s products, including any guaranty or warranty that any product cannot be exploited by third parties. All product warranties and obligations to a customer must be specified in a mutually acceptable and executed contract between the parties.

Category

Marketing Name

Date Updated

Vulnerable Yes/No

More information/
Remediation

System/Software

Lumada Data Catalog

September 2, 2020

Yes

Please refer to this link within this notification.

Lumada Data Catalog Mitigations

Summary: Solr to 8.3.2 or higher is required to resolve this vulnerability. However, Solr version 8.3.2 or higher is not supported by Lumada Data Catalog. Please refer to workaround below.

Immediate Remediations

  1. Ensure your network settings are configured so that only trusted traffic from the Lumada Data Catalog’s Application Server and Metadata Server can communicate with Solr, especially to the DIH request handler. This is a best practice for all Solr environments.
  2. Edit solrconfig.xml to configure all DataImportHandler usages with an invariants section to specify an empty string for the dataConfig parameter.

Permanent Fix

Customers will need to deploy version Laguna (Lumada Data catalog version 6.0.0) which will support Solr 8.4. Laguna will be released in early November 2020. Please contact your customer support representative for more information.

Comments