IBM2E5ED8EE9FFE02307D1FDB3E8091F62E0BA23BC3B364FF0B358D04DE31A29D6ASecurity Bulletin: Potential vulnerability (SSRF) in Apache Solr affect IBM Operations Analytics - Log Analysis (CVE-2017-3164)
EPSS
Percentile
95.5%
Summary
Server Side Request Forgery vulnerability in Apache Solr could allow attacker with access to make Solr perform a HTTP to any reachable URL.
Vulnerability Details
CVEID: CVE-2017-3164
DESCRIPTION: Apache Solr is vulnerable to server-side request forgery, caused by not having corresponding allowlist mechanism in the shards parameter. By using a specially-crafted argument, an attacker could exploit this vulnerability to conduct SSRF attack.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/156956> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| Log Analysis | 1.3.1 |
| Log Analysis | 1.3.2 |
| Log Analysis | 1.3.3 |
| Log Analysis | 1.3.3.1 |
| Log Analysis | 1.3.4 |
| Log Analysis | 1.3.5 |
| Log Analysis | 1.3.6 |
Remediation/Fixes
| Principal Product and Version(s) | Fix details |
|---|---|
| IBM Operations Analytics - Log Analysis version 1.3.1, 1.3.2, 1.3.3, 1.3.3.1, 1.3.4, 1.3.5 and 1.3.6 | Upgrade existing version to Log Analysis 1.3.6 Fix Pack 1 |
Workarounds and Mitigations
Ensure your network settings are configured so that only trusted traffic is allowed to ingress/egress your hosts running Solr.
Related
EPSS
Percentile
95.5%