Skip to content

Commit 7074b27

Browse files
Merge pull request #607 from doyensec:cve-2019-0192
PiperOrigin-RevId: 807294734 Change-Id: I7241610bb22220ad6e6b41fecb21c0490f60d6f2
2 parents 54dbf23 + 2644ebe commit 7074b27

6 files changed

Lines changed: 678 additions & 0 deletions

File tree

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
# Apache Solr Unsafe Deserialization (CVE-2019-0192)
2+
3+
## Description
4+
5+
In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows
6+
attackers to configure the JMX server via an HTTP POST request. By directing it
7+
to a malicious RMI server, this vulnerability can be exploited to trigger unsafe
8+
deserialization, leading to remote code execution on the Solr server.
9+
10+
## Affected Versions
11+
12+
- 5.0.0 to 5.5.5
13+
- 6.0.0 to 6.6.5
14+
15+
## References
16+
17+
- [Redhat Advisory](https://access.redhat.com/security/cve/CVE-2019-0192)
18+
- [Bug Tracker](https://bugzilla.redhat.com/show_bug.cgi?id=1692345)
19+
20+
## Build jar file for this plugin
21+
22+
Using `gradlew`:
23+
24+
```shell
25+
./gradlew jar
26+
```
27+
28+
The Tsunami identifiable jar file is located at `build/libs` directory.
Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
plugins {
2+
id 'java-library'
3+
}
4+
5+
description = 'Apache Solr Unsafe Deserialization (CVE-2019-0192)'
6+
group = 'com.google.tsunami'
7+
version = '0.0.1-SNAPSHOT'
8+
9+
repositories {
10+
maven { // The google mirror is less flaky than mavenCentral()
11+
url 'https://maven-central.storage-download.googleapis.com/repos/central/data/'
12+
}
13+
mavenCentral()
14+
mavenLocal()
15+
}
16+
17+
def coreRepoBranch = System.getenv("GITBRANCH_TSUNAMI_CORE") ?: "stable"
18+
def tcsRepoBranch = System.getenv("GITBRANCH_TSUNAMI_TCS") ?: "stable"
19+
20+
dependencies {
21+
implementation("com.google.tsunami:tsunami-common") {
22+
version { branch = "${coreRepoBranch}" }
23+
}
24+
implementation("com.google.tsunami:tsunami-plugin") {
25+
version { branch = "${coreRepoBranch}" }
26+
}
27+
implementation("com.google.tsunami:tsunami-proto") {
28+
version { branch = "${coreRepoBranch}" }
29+
}
30+
31+
implementation 'org.jsoup:jsoup:1.9.2'
32+
33+
testImplementation "com.google.inject:guice:6.0.0"
34+
testImplementation "com.google.inject.extensions:guice-testlib:6.0.0"
35+
testImplementation "com.google.truth:truth:1.4.4"
36+
testImplementation "com.google.truth.extensions:truth-java8-extension:1.4.4"
37+
testImplementation "com.google.truth.extensions:truth-proto-extension:1.4.4"
38+
testImplementation "com.squareup.okhttp3:mockwebserver:3.12.0"
39+
testImplementation "junit:junit:4.13.2"
40+
testImplementation "org.mockito:mockito-core:5.18.0"
41+
}
Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
rootProject.name = 'cve-2019-0192-apache-solr-unsafe-deserialization'
2+
3+
def coreRepository = System.getenv("GITREPO_TSUNAMI_CORE") ?: "https://github.com/google/tsunami-security-scanner.git"
4+
def tcsRepository = System.getenv("GITREPO_TSUNAMI_TCS") ?: "https://github.com/google/tsunami-security-scanner-callback-server.git"
5+
6+
sourceControl {
7+
gitRepository("${coreRepository}") {
8+
producesModule("com.google.tsunami:tsunami-common")
9+
producesModule("com.google.tsunami:tsunami-plugin")
10+
producesModule("com.google.tsunami:tsunami-proto")
11+
}
12+
}

0 commit comments

Comments
 (0)