CVE-2017-7660

Name of the Vulnerable Software and Affected Versions Apache Solr (affected versions not specified)

Description The issue allows an attacker to create a specially crafted node name that tricks the nodes in the cluster into believing the malicious node is a member of the cluster. This can affect users who have enabled BasicAuth authentication mechanism using the BasicAuthPlugin or those who have implemented a custom Authentication plugin that does not implement either HttpClientInterceptorPlugin or HttpClientBuilderPlugin. Users who only use SSL without basic authentication or those who use Kerberos are not affected.

Recommendations For users with BasicAuth authentication mechanism enabled, consider disabling the BasicAuthPlugin until a secure alternative is implemented. For users with custom Authentication plugins, ensure the implementation includes either HttpClientInterceptorPlugin or HttpClientBuilderPlugin to mitigate the risk. As a temporary workaround, consider restricting access to the cluster to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.