Mon. Nov 18th, 2019

CVE-2019-0193: Apache Solr Remote Code Execution Vulnerability Alert

1 min read

On August 1, 2019, Apache Solr officially released the CVE-2019-0193 vulnerability warning, and the vulnerability impact rating was serious. This vulnerability exists in the optional module DataImportHandler, which is a common module for extracting data from a database or other source. The DIH configuration can be set by the externally requested dataConfig parameter. Since the DIH configuration can contain scripts, this parameter has security risks.

An attacker can use the dataConfig parameter to construct a malicious request for remote code execution. Ask the user to upgrade Solr to a secure version as soon as possible to ensure effective protection against this vulnerability.

Affected version

  • Apache Solr < 8.2.0

Unaffected version

  • Apache Solr >= 8.2.0

Solution

Upgrade Apache Solr to version 8.2.0 or later.

Temporary patching suggestions:

  • Edit solrconfig.xml to set the dataConfig parameter in all DataImportHandler usages configured with fixed values ​​to an empty string.
  • Make sure that the network settings only allow trusted traffic to communicate with Solr, especially with DIH request handlers.