IS specialists published an exploit for the RCE problem in Apache Solr

In the summer this year, an information security researcher known as jnyryan discovered a problem in Apache Solr. Now, security professionals have published an exploit for the RCE problem in Apache Solr.

So, the default configuration implies the included option ENABLE_REMOTE_JMX_OPTS, which, in turn, opens port 8983 for remote connections.

If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server”, — writes IS specialist, known as jnyryan.

Apache developers found this problem almost harmless, because in the worst case, an attacker could only access Solr monitoring data, which is particularly useless.

However, at the end of October, on GitHub was published a PoC exploit, demonstrating that an attacker could use the same problem to remotely execute arbitrary code (RCE). The exploit used open port 8983 to enable Apache Velocity templates on the Solr server, and then used this function to download and run malicious code. Worse, after a few days, a second, improved exploit appeared on the network, making it even easier to carry out attacks.

Read also: Phoenix keylogger disables more than 80 security products

After that, the developers realized their mistake and issued an updated security recommendation. The vulnerability is now tracked as CVE-2019-12409. Researchers remind users that it is better to keep Solr servers behind firewalls, since these systems should not openly “surf” the Internet.

It is still unclear which versions of Sorl are affected by the problem. Currently Solr developers write about versions 8.1.1 and 8.2.0, but Tenable experts report that the vulnerability is dangerous for Solr from version 7.7.2 to the latest version 8.3.

Mitigation:

Make sure your effective solr.in.sh file has ENABLE_REMOTE_JMX_OPTS set to ‘false‘ on every Solr node and then restart Solr. Note that the effective solr.in.sh file may reside in /etc/defaults/ or another location depending on the install. You can then validate that the ‘com.sun.management.jmxremote*’ family of properties are not listed in the “Java Properties” section of the Solr Admin UI, or configured in a secure way.