CVE-2020-13957: Apache Solr ConfigSet Remote Code Execution Vulnerability Alert
On October 12, 2020, Apache Solr issued a risk notice on solr file upload vulnerability, the vulnerability number is CVE-2020-13957, vulnerability level is a high risk. Attackers can perform unauthorized operations on the ConfigSet API by combining the two ACTIONs of UPLOAD/CREATE, which can cause the impact of obtaining server permissions.
Solr is an open-source enterprise-search platform, written in Java, from the Apache Lucene project. Its major features include full-text search, hit highlighting, faceted search, real-time indexing, dynamic clustering, database integration, NoSQL features, and rich document handling.
Vulnerability Detail
Solr prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that’s uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.
Affected version
- Apache Solr 6.6.0 to 6.6.5
- Apache Solr 7.0.0 to 7.7.3
- Apache Solr 8.0.0 to 8.6.2
Solution
In this regard, we recommend that users upgrade Solr to the latest version in time.
Mitigation:
Any of the following are enough to prevent this vulnerability:
* Disable UPLOAD command in ConfigSets API if not used by setting the system property: “configset.upload.enabled” to “false”
* Use Authentication/Authorization and make sure unknown requests aren’t allowed
* Upgrade to Solr 8.6.3 or greater.
* If upgrading is not an option, consider applying the patch in SOLR-14663
* No Solr API, including the Admin UI, is designed to be exposed to non-trusted parties. Tune your firewall so that only trusted computers and people are allowed access
