PMC update on Solr vulnerabilities: CVEs 2019-12409 and 2019-17558

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

PMC update on Solr vulnerabilities: CVEs 2019-12409 and 2019-17558

Cassandra Targett-2
Some of you may have seen an article earlier this week by ZDNet describing
two vulnerabilities in Apache Solr that have also been published elsewhere.
The Lucene PMC would like to update our user community about what we have
done and are doing to address the two issues.

The first issue noted, CVE-2019-12409, was announced a couple of weeks ago
and exists in Solr 8.1.1-8.2.0. This issue was caused by a bad default
option in the ‘solr.in.sh' configuration file to allow remote JMX
connections by default and can be mitigated by changing the setting. More
details are in the mailing list announcement here:
https://s.apache.org/98nsn. Solr 8.3.0 properly sets the correct default
option.

The second issue allows Remote Code Execution through custom Velocity
templates. This issue now has a CVE: 2019-17558. It affects versions 7.0.0
through 8.3.0.

Solr is working on an 8.3.1 release to fix this bug; we are voting on a
release candidate now and it should be released by early next week. We will
make a formal announcement about it and update the CVE databases when 8.3.1
is released. We will likely also release a 7.7.3 for users still on 7.x,
but have not initiated that release process yet.

This vulnerability is only available to attackers if these conditions are
in place:

1. You have not disabled the Config API, or do not restrict access to the
Config API via authentication/authorization settings
2. You allow connections to Solr APIs from outside your firewall

You can mitigate this vulnerability right now by setting the system
parameter “-Ddisable.configEdit=true” and restarting Solr. If you already
have secured Solr behind a firewall and you have authentication for all
users in place, then we believe your risk of this bug is very low. If you
don’t use the Config API, we’d recommend disabling it even if you have a
firewall and authentication in place.

In future releases, we plan to minimize the set of enabled, pre-configured
plugins in Solr's default configset. This will not only reduce security
risks but will also be a simplification. A new plugin management system is
coming soon, and we will look to use that as much as possible to make Solr
as secure as possible out of the box.

We'd like to make sure everyone is aware of the wiki page that the PMC
maintains about known vulnerabilities:
https://cwiki.apache.org/confluence/display/solr/SolrSecurity. This page
provides a straightforward way to know what vulnerabilities have been
discovered to date, if your version is impacted, and how to mitigate your
risks.

Now is also a great time to take a few moments to review how you have
secured your Solr installation. You should always put Solr behind a
firewall, require SSL, and implement authentication for all users at a
minimum. These steps make any attack more difficult to execute.
Historically, there have been very few vulnerabilities reported to Solr
that did not first require a bad actor to have unauthorized access to the
system. As with any system, adopting a defense-in-depth approach to
securing Solr is a best practice. Be sure to refer to the Solr Reference
Guide section for more details about available configuration options:
https://lucene.apache.org/solr/guide/securing-solr.html.

If you have questions about securing Solr after reviewing available
information and documentation, please feel free to ask a question on this
mailing list and we will work to get you a response as quickly as we can.
To report a suspected vulnerability, please email [hidden email]
.

Best Regards,
The Lucene PMC