Received: by 2002:ab2:3b45:0:b0:1f4:bc7c:a2d3 with SMTP id t5csp279425lqf; Fri, 12 Apr 2024 08:48:54 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCV4BXTA4oG4ah8GXhBbY45zfcbWvJO+6jWKDVcNiqZTCSJMml4/87QohVo7mTIXdd9CipeaX0HfOrX3QlOXSQfTLgkHAd3cQiUoNbxqwg== X-Google-Smtp-Source: AGHT+IFZtMCmWXsiJoWwx54HSElbPAFh7pm8ilIz0NU4LsoAF6gHdCWXTyCxmzFgHtRQL3z5y9DQ X-Received: by 2002:a05:6808:23cd:b0:3c5:f939:2124 with SMTP id bq13-20020a05680823cd00b003c5f9392124mr2743421oib.58.1712936934238; Fri, 12 Apr 2024 08:48:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1712936934; cv=none; d=google.com; s=arc-20160816; b=L2B3kkvhsDny0x3eeYZlePqK9N8Ok2jcaYssaJ7ftX0sPFsSbJohuIbIyfnV6A1I1r dGOr+A8QA2EjUvC9DSxsQP8xbOS915A0qYhGktRgGOEDqpeC8x5cq8AORS5tqeT0/yLX VvDZw8a0kNUTDdOgzZ0Ebgcp83rCJtb9IjMjWwU6omBvs6NO8vhlM53KICaOCDEN6ugj SMnDYFQ5yFvJx0uJLxdNeXUgxBMOqX4r13kRlZ0x4VTx1dsGOa5lH4wFRqeo6DP8OFQ/ 1nIsh8lAaTG7noTMf+E+8ukoHx6B/67n8zSUvZHP1Gt/8MK7VhVMHAlLeqxN/3YXMfqj 8NEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:mime-version:date:content-transfer-encoding:message-id:to :from:delivered-to:delivered-to:reply-to:list-id:list-subscribe :list-unsubscribe:list-help:list-post:precedence:mailing-list; bh=LjRMtutk4ICEwRUDfgB0+ESuW5eQKNpXl6Aebqq5LRY=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=QtVkLKqfl7InR+WLPu1NCC/v7N5i88omyQmWR5rwEZthW5I4Uh1o81TGrI7DeSbMbL I7CqykGQgdLAbk3BATC86wlj3uryzHu9DSpTIaDM1Dubq/tl/k9589TeJ+mlvtNKySQn DDUOUg04tfCHH2sM70jQRDMk2pdFGD2GK1HaXeJmf91eJ11+SAYWRHmeks9kIdee4OaD fwT9gLQK+tWrAz2E0qUCQREGskShKUOM0LH/Z6ffOIGrsvH9/BThozro23OGn76h1sA5 4ndmShph8pEks3t9N7btwUd8nvndgnrON1R0ubAHOKTMxoTl4WIJb4n/3jcNtcRS3Kqb W8nA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of oss-security-return-30018-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30018-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id r1-20020a05622a034100b00436929e748esi1478073qtw.356.2024.04.12.08.48.53 for ; Fri, 12 Apr 2024 08:48:54 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30018-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; spf=pass (google.com: domain of oss-security-return-30018-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30018-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 21731 invoked by uid 550); 12 Apr 2024 15:46:00 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 23562 invoked from network); 12 Apr 2024 14:32:39 -0000 Authentication-Results: apache.org; auth=none Content-Type: text/plain; charset=utf-8 From: Jason Gerlowski To: oss-security@lists.openwall.com Message-ID: Content-Transfer-Encoding: quoted-printable Date: Fri, 12 Apr 2024 14:32:28 +0000 MIME-Version: 1.0 Subject: [oss-security] CVE-2024-31391: Apache Solr Operator: Solr-Operator liveness and readiness probes may leak basic auth credentials Severity: moderate Affected versions: - Apache Solr Operator 0.3.0 through 0.8.0 Description: Insertion of Sensitive Information into Log File vulnerability in the = Apache Solr Operator. This issue affects all versions of the Apache Solr Operator from 0.3.0 = through 0.8.0. When asked to bootstrap Solr security, the operator will enable basic = authentication and create several accounts for accessing Solr: including = the "solr" and "admin" accounts for use by end-users, and a "k8s-oper" = account which the operator uses for its own requests to Solr. One common source of these operator requests is healthchecks: liveness, = readiness, and startup probes are all used to determine Solr's health and = ability to receive traffic. By default, the operator configures the Solr APIs used for these probes to = be exempt from authentication, but=C2=A0users may specifically request that= authentication be required on probe endpoints as well. Whenever one of these probes would fail, if authentication was in use, the = Solr Operator would create a Kubernetes "event" containing the username and= password of the "k8s-oper" account. Within the affected version range, this vulnerability affects any solrcloud= resource which (1) bootstrapped security through use of the `.solrOptions.= security.authenticationType=3Dbasic` option, and (2) required = authentication be used on probes by setting `.solrOptions.security.= probesRequireAuth=3Dtrue`. Users are recommended to upgrade to Solr Operator version 0.8.1, which = fixes this issue by ensuring that probes no longer print the credentials = used for Solr requests.=C2=A0 Users may also mitigate the vulnerability by = disabling authentication on their healthcheck probes using the setting `.= solrOptions.security.probesRequireAuth=3Dfalse`. This issue is being tracked as SOLR-17216=20 Credit: Flip Hess (finder) References: https://solr.apache.org https://www.cve.org/CVERecord?id=3DCVE-2024-31391 https://issues.apache.org/jira/browse/SOLR-17216