Vulnerabilities

Critical vulnerability in Apache Solr; update patches already available

According to penetration testing specialists, a few weeks ago it was reported the finding of a zero-day vulnerability in Apache Solr, an open source enterprise search platform used by some major companies such as Adobe, Bloomber, eBay, Instagram and Netflix. Although there is even a published proof of concept, the risk of exploitation is still present.

In addition to this report, two new remote code
execution vulnerabilities have emerged. The first of these flaws, tracked as
CVE-2019-12409, was corrected by the Apache Solr team. On the other hand, the
second vulnerability (which does not yet have identification code) remains unpatched.

The first vulnerability, reported by
penetration testing expert John Ryan last July, had been considered medium
severity at first. However, the researcher Matei Badanoiu has recently
demonstrated that the vulnerability could be exploited to deploy a remote code
execution attack, so it was reclassified as a highly serious vulnerability.

Criticism from the cybersecurity community was expected,
as many believe that the initial diagnosis put dozens or even hundreds of
companies at risk. Because proof-of-concept code was published on GitHub
within anyone’s reach, it was highly likely that attacks began to be reported
in the wild.

In this regard, Apache Solr issued a statement
mentioning: “Solr versions 8.1.1 and 8.2.0 are affected by an unsafe
configuration for the configuration option ENABLE_REMOTE_JMX_OPTS in the
default configuration file solr.in.sh; Windows deployments are unaffected by
this flaw.”

According to penetration testing experts, if a
default file is used solr.in.sh on the affected versions, JMX monitoring will
be enabled, exposing RMI_PORT without authentication. This scenario would allow
a threat actor to access JMX, load malicious code, and run it on the Solr
server.

As for the second vulnerability, a
proof-of-concept was published as a GitHub Gist (code snippets published on the
platform); as reported by Tenable security firm experts, the proof of concept
was improperly published as it was ignored whether the company had already
developed a correction.

It has been confirmed that Apache Solr versions
between 7.2.2 and 8.3, the latest version, are vulnerable. In addition Tenable
researchers believe that it is possible that some older versions that include
the configuration API might also be vulnerable.

According to penetration testing specialists at
the International Institute of Cyber Security (IICS), it is highly likely that
threat actors have already accessed proof-of-concept, so we are ahead of a
massive campaign of exploitation of this flaw. Even though the proof of concept
is no longer on GitHub, it should be possible to find it in one of the many
hacking forums on dark web.

As a precaution, server administrators should
update their security settings according to the recommendations issued by each
vendor, in addition to performing some tests to verify that their systems have
not been previously attacked and implement authentication.  

To Top

Pin It on Pinterest

Share This