Apache Solr remains vulnerable to a zero day weeks after proof-of-concept code became public.
Background
On October 29, a proof of concept (PoC) for a remote code execution (RCE) vulnerability in Apache Solr, a popular open-source search platform built on Apache Lucene, was published as a GitHub Gist. At the time this blog was published, this vulnerability did not have a CVE identifier and no confirmation or indication of a solution available from Apache. Tenable Research has confirmed that Apache Solr versions 7.7.2 through 8.3 (the most current release) are vulnerable, and we suspect older versions that include the Config API are potentially vulnerable.
Analysis
According to the PoC, an attacker could target a vulnerable Apache Solr instance by first identifying a list of Solr core names. Once the core names have been identified, an attacker can send a specially crafted HTTP POST request to the Config API to toggle the params resource loader value for the Velocity Response Writer in the solrconfig.xml file to true.
Enabling this parameter would allow an attacker to use the velocity template parameter in a specially crafted Solr request, leading to RCE.
Despite the recent release of Apache Solr 8.3 that addresses a default configuration flaw that was reported back in July, it appears the Velocity template vulnerability still exists as a zero day.
Proof of concept
As mentioned previously, a PoC was published on October 29 as a Github Gist. Days later, an exploit script was published to a GitHub repository.
Solution
At the time this blog was published, no patch was available for this vulnerability. We will update this blog post once a patch is available. Until a patch is available, or if upgrading is not feasible, users can mitigate attacks leveraging this vulnerability by adding authentication to the Apache Solr instance. Also, review the VelocityResponseWriter class in the solrconfig.xml configuration file and ensure the params resource loader value is set to false.
Be advised that unless the Config API is locked down, an attacker could modify the solrconfig.xml file.
Identifying affected systems
A list of Tenable plugins to identify this vulnerability will appear here as they’re released.
Get more information
- s00py’s GitHub Gist for Apache Solr RCE (Velocity Template)
- jas502n's Exploit Script for Apache Solr RCE (Velocity Template)
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 60-day trial of Tenable.io Vulnerability Management.