[CVE-2019-17558] Apache Solr RCE through VelocityResponseWriter

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[CVE-2019-17558] Apache Solr RCE through VelocityResponseWriter

Erik Hatcher-4
[CVE-2019-17558] Apache Solr RCE through VelocityResponseWriter

Severity: High

Vendor: The Apache Software Foundation

Versions Affected: 5.0.0 to 8.3.1

The affected versions are vulnerable to a Remote Code Execution through the
VelocityResponseWriter.  A Velocity template can be provided through
Velocity templates in a configset `velocity/` directory or as a parameter.
A user defined configset could contain renderable, potentially malicious,
templates.  Parameter provided templates are disabled by default, but can
be enabled by setting `params.resource.loader.enabled` by defining a
response writer with that setting set to `true`.  Defining a response
writer requires configuration API access.

Solr 8.4 removed the params resource loader entirely, and only enables the
configset-provided template rendering when the configset is `trusted` (has
been uploaded by an authenticated user).

Mitigation: Ensure your network settings are configured so that only
trusted traffic
communicates with Solr, especially to the configuration APIs.

Credits: Github user `s00py`

  * https://cwiki.apache.org/confluence/display/solr/SolrSecurity
  * https://issues.apache.org/jira/browse/SOLR-13971
  * https://issues.apache.org/jira/browse/SOLR-14025