CVE-2019-12409: Apache Solr RCE vulnerability alert

Recently, Solr officially released a security update to fix RCE vulnerability (CVE-2019-12409) due to a bad config default. Solr is apache’s top-level open source project, which is a full-text search server based on lucene developed using Java. After we analysis and judgment. This vulnerability affects to new versions 8.1.1, 8.2.0. Solr users should not expose their Solr clusters to the public network. Since the new Solr version starts the JMX service by default, we judge that the event is seriously harmful. The impact is extensive. We remind the majority of Solr users to do a good job of self-checking the environmental network configuration or to close the JMX related functions.

Apache Solr

Description: The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr.

If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.

The vulnerability is already public [1] and mitigation steps were announced on project mailing lists and news page [3] on August 14th, without mentioning RCE at that time.

Mitigation:
Make sure your effective solr.in.sh file has ENABLE_REMOTE_JMX_OPTS set to ‘false’ on every Solr node and then restart Solr. Note that the effective solr.in.sh file may reside in /etc/defaults/ or another location depending on the install. You can then validate that the ‘com.sun.management.jmxremote*’ family of properties are not listed in the “Java Properties” section of the Solr Admin UI, or configured in a secure way.