On October 31, 2019, the security researcher S00pY on GitHub release the Apache Solr RCE via the Velocity template PoC. After testing, the poc is valid and effective, we judge the vulnerability level is serious, the harm surface/impact surface wide. Currently, Apache Solr officially has not released a patch for this vulnerability. We recommend that users of Apache Solr use the measures in the repair proposal to defend against hacker attacks.
— pyn3rd (@pyn3rd) October 31, 2019
The vulnerability was generated for two reasons:
When an attacker can directly access the Solr console, he can make changes to the node’s configuration file by sending a POST request like /nodename/config.
Apache Solr integrates the VelocityResponseWriter plugin by default. The params.resource.loader.enabled option in the plugin’s initialization parameters is used to control whether the parameter resource loader is allowed to specify the template in the Solr request parameter. The default setting is false.