3

I am planning to evaluate and install a publicly available software.

https://github.com/opensemanticsearch/open-semantic-search

While reviewing the issues on github, there is an issue open which indicates possible remote code execution for Solr with screenshots.

https://github.com/opensemanticsearch/open-semantic-search/issues/285

I have no idea about security vulnerabilities and hoping this is the correct forum to ask experts. Do you think this is a security vulnerability and one should avoid using the software until fixed?

Stacky
  • 133
  • 4

1 Answers1

4

Yes, I think it is vulnerable, or there's something wrong anyway. Here's why.

That guy (or girl) is suggesting that his machine has been compromised because of some RCE. We don't know if that's true, or why he's suggesting this. However he says his current Solr version is 7.7.2. That's not the latest version, according to the news on the official website, and several sources report that 7.7.2 is vulnerable to RCE: see cvedetails.com and Reported attack to install miners, for example. It might also be vulnerable to CVE-2019-17558 (another RCE), but that's not clear to me, among other things that are also not clear (for example why the hell the 7.7.x branch was fixed so late, with version 7.7.3 released on April 28th 2020, while the vulnerability was reported in the summer of 2019).

Anyway, why is that guy running an outdated Solr version? He also said that "his current build-deb was taken from the master". So I took a look at the code, and there's a bash script named build-deb. Here's interesting piece of that script:

# if not yet there, download Solr binary release
if [ ! -f "src/solr.deb/usr/src/solr-7.7.2.tgz" ]; then
    mkdir src/solr.deb/usr
    mkdir src/solr.deb/usr/src
    echo "Downloading Solr"
    wget -P src/solr.deb/usr/src/ https://www-eu.apache.org/dist/lucene/solr/7.7.2/solr-7.7.2.tgz
fi

Basically, the current master branch has a script that is used to build a deb file for installation, but some dependencies are actually embedded in the deb file (instead of letting the system take care of them, and use the latest releases from the OS repositories). Note that they are explicitly including Solr 7.7.2 in the installation, which appears to be outdated and vulnerable.

In general, should you use software you find on GitHub? Well, maybe. There's a saying that goes "Given enough eyeballs, all bugs are shallow (hopefully)". But small projects might not attract enough developers to be able to provide enough quality, maintenance, and security. There's no way to know if a small project is secure, unless you take some time to read the code. For bigger projects, on the other hand, while they are not guaranteed to be secure at all, at least it might be easier to find more information, opinions, reviews, or support.

reed
  • 15,398
  • 6
  • 43
  • 64