Bug 1147016 (CVE-2019-14511)

Summary: VUL-0: CVE-2019-14511: sphinx: Sphinx by default has no authentication and listens on 0.0.0.0 exposing it to the internet
Product: [openSUSE] openSUSE Distribution Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: SecurityAssignee: Bruno Friedmann <bruno>
Status: RESOLVED UPSTREAM QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: atoptsoglou
Version: Leap 15.1   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/240953/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexandros Toptsoglou 2019-08-23 08:58:25 UTC 
CVE-2019-14511

Sphinx Technologies Sphinx 3.1.1 by default has no authentication and listens on
0.0.0.0, making it exposed to the internet (unless filtered by a firewall or
reconfigured to listen to 127.0.0.1 only).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14511
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14511
https://sphinxsearch.com/blog/
https://blog.wirhabenstil.de/2019/08/19/sphinxsearch-0-0-0-09306-cve-2019-14511/
http://sphinxsearch.com/docs/sphinx3.html#getting-started-on-linux-and-macos
Comment 1 Bruno Friedmann 2019-08-23 11:25:09 UTC 
Hi Alexandros, I don't understand your report.

In obs and in Leap 15.x we have version 2
2.2.11-lp151.2.1

Version 3x of sphinx is not free software.

Moreover if you check our package developed here
https://build.opensuse.org/package/view_file/server:search/sphinx/sphinx.spec?expand=1

You will see
Patch2:         sphinx-default_listen.patch

This patch remove the non localhost listen port
-       listen                  = 9312
+        listen                  = localhost:9312

If you test the package actually it listen on 127.0.0.1
The patch was made around version 2.0.3 at 2012-02-14 13:49:19

How do you want to proceed ? 
Make this bug as invalid (rude)
Rearrange patch to make sure we use localhost everywhere (one is 127.0.0.1 which is bogus for ipv6 only system) and name the patch to the referenced CVE ?
Comment 2 Alexandros Toptsoglou 2019-08-23 12:22:38 UTC 
(In reply to Bruno Friedmann from comment #1)

> How do you want to proceed ? 
> Make this bug as invalid (rude)
> Rearrange patch to make sure we use localhost everywhere (one is 127.0.0.1
> which is bogus for ipv6 only system) and name the patch to the referenced
> CVE ?

Hi Bruno, 

it seems that the patch that you mention already applies the suggested configuration. So if you do not have any doubts we could resolve this bug as upstream.