Description

In Apache Solr (versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5) it's possible to use the ConfigAPI to set an arbitrary jmx.serviceUrl that will create a new JMXConnectorServerFactory and trigger a call with 'bind' operation to a target RMI/LDAP server. A malicious RMI server could respond with arbitrary object that will be deserialized on the Solr side using java's ObjectInputStream, which is considered unsafe.

This type of vulnerabilities can be exploited with ysoserial tool. Depending on the target classpath, an attacker can use one of the "gadget chains" to trigger Remote Code Execution on the Solr side.

Remediation

Any of the following are enough to prevent this vulnerability:

  • Upgrade to Apache Solr 7.0 or later.
  • Disable the ConfigAPI if not in use, by running Solr with the system property "disable.configEdit=true"
  • If upgrading or disabling the Config API are not viable options, apply patch (https://issues.apache.org/jira/browse/SOLR-13301) and re-compile Solr.
  • Ensure your network settings are configured so that only trusted traffic is allowed to ingress/egress your hosts running Solr.

Related Vulnerabilities

Joomla! JomSocial remote code execution

PHP code injection (pmwiki)

Python object deserialization of user-supplied data

WS_FTP AHT Deserialization RCE (CVE-2023-40044)

WordPress Plugin Fast Secure Contact Form Remote Code Execution (4.0.44)

Severity

High

Classification

CVE-2019-0192 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Insecure Deserialization Acumonitor Code Execution