[Unpatch] Apache Solr remote command execution vulnerability alert

On October 31, 2019, the security researcher S00pY on GitHub release the Apache Solr RCE via the Velocity template PoC. After testing, the poc is valid and effective, we judge the vulnerability level is serious, the harm surface/impact surface wide. Currently, Apache Solr officially has not released a patch for this vulnerability. We recommend that users of Apache Solr use the measures in the repair proposal to defend against hacker attacks.

Vulnerability detail

The vulnerability was generated for two reasons:

  1. When an attacker can directly access the Solr console, he can make changes to the node’s configuration file by sending a POST request like /nodename/config.
  2. Apache Solr integrates the VelocityResponseWriter plugin by default. The params.resource.loader.enabled option in the plugin’s initialization parameters is used to control whether the parameter resource loader is allowed to specify the template in the Solr request parameter. The default setting is false.
When params.resource.loader.enabled is set to true, the user will be allowed to specify the loading of the relevant resource by setting the parameters in the request, which means that the attacker can construct a threatening attack request to execute the command on the server.

Affected version

After testing, it currently affects Apache Solr 7.x to 8.2.0.

Solution

Currently, Apache Solr officially has not released a patch for this vulnerability. We recommend ensuring that the network settings only allow trusted traffic to communicate with Solr.