News

IS specialists published an exploit for the RCE problem in Apache Solr

In the summer this year, an information security researcher known as jnyryan discovered a problem in Apache Solr. Now, security professionals have published an exploit for the RCE problem in Apache Solr.

The vulnerability was hidden in the solr.in.sh configuration file, which by default is included in all versions of Solr.

So, the default configuration implies the included option ENABLE_REMOTE_JMX_OPTS, which, in turn, opens port 8983 for remote connections.

If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server”, — writes IS specialist, known as jnyryan.

Apache developers found this problem almost harmless, because in the worst case, an attacker could only access Solr monitoring data, which is particularly useless.

However, at the end of October, on GitHub was published a PoC exploit, demonstrating that an attacker could use the same problem to remotely execute arbitrary code (RCE). The exploit used open port 8983 to enable Apache Velocity templates on the Solr server, and then used this function to download and run malicious code. Worse, after a few days, a second, improved exploit appeared on the network, making it even easier to carry out attacks.

Read also: Phoenix keylogger disables more than 80 security products

After that, the developers realized their mistake and issued an updated security recommendation. The vulnerability is now tracked as CVE-2019-12409. Researchers remind users that it is better to keep Solr servers behind firewalls, since these systems should not openly “surf” the Internet.

It is still unclear which versions of Sorl are affected by the problem. Currently Solr developers write about versions 8.1.1 and 8.2.0, but Tenable experts report that the vulnerability is dangerous for Solr from version 7.7.2 to the latest version 8.3.

Mitigation:

Make sure your effective solr.in.sh file has ENABLE_REMOTE_JMX_OPTS set to ‘false‘ on every Solr node and then restart Solr. Note that the effective solr.in.sh file may reside in /etc/defaults/ or another location depending on the install. You can then validate that the ‘com.sun.management.jmxremote*’ family of properties are not listed in the “Java Properties” section of the Solr Admin UI, or configured in a secure way.

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove Streamingsafevpn.com Pop-up Ads

About Streamingsafevpn.com Streamingsafevpn.com pop-ups can not expose out of nowhere. If you have actually clicked…

12 mins ago

Remove Psegeevalrat.net Pop-up Ads

About Psegeevalrat.net Psegeevalrat.net pop-ups can not launch out of the blue. If you have clicked…

42 mins ago

Remove Thi-tl-310-a.buzz Pop-up Ads

About Thi-tl-310-a.buzz Thi-tl-310-a.buzz pop-ups can not expose out of the blue. If you have clicked…

1 day ago

Remove Toreffirmading.com Pop-up Ads

About Toreffirmading.com Toreffirmading.com pop-ups can not open out of the blue. If you have clicked…

1 day ago

Remove News-xboveho.site Pop-up Ads

About News-xboveho.site News-xboveho.site pop-ups can not introduce out of the blue. If you have actually…

1 day ago

Remove Glayingly.com Pop-up Ads

About Glayingly.com Glayingly.com pop-ups can not open out of the blue. If you have clicked…

1 day ago