Overview

The background of security vulnerability

Apache Solr is an enterprise-level search platform developed in Java and implemented based on Apache Lucene. It supports REST-like API interfaces, provides distributed indexing, centralized configuration and other functions. At present, many companies use Solr to implement their search and navigation functions. Recently, the Xinhua Three Offensive and Defense Laboratory monitored that Apache officially updated a notice about fixing the file upload vulnerability of Apache Solr Configset API, and carried out tracking and analysis.

The vulnerability description

If you upload configuration files through the ConfigSet API without authentication, Apache Solr will disable some dangerous functions that can be used for remote code execution by default. A remote attacker can use this vulnerability to combine the UPLOAD/CREATE commands to achieve unauthorized operations. Modify the parameters in the configuration file to cause remote code execution and obtain server permissions.

The scope of influence

Severity level: high risk

Scope of influence：

ApacheSolr 6.6.0 - 6.6.5\ApacheSolr 7.0.0 - 7.7.3\ApacheSolr 8.0.0 - 8.6.2

Solution

The official patch

1. Apache Solr has officially fixed the vulnerability in the new version. Please upgrade to Solr8.6.3 and above. Download link: https://lucene.apache.org/solr/downloads.html

2. If you cannot upgrade, you can use the patch in the SOLR-14663 announcement, refer to the link: https://issues.apache.org/jira/browse/SOLR-14663

The temporary Solution

1. If the ConfigSets API is not used in the environment, you can disable the UPLOAD command, -Dconfigset.upload.enabled=false, refer to the link for details: https://lucene.apache.org/solr/guide/8_6/configsets-api.html

2. To use identity authentication, please refer to the link for details: https://lucene.apache.org/solr/guide/8_6/authentication-and-authorization-plugins.html

3. Set access whitelist, only allow trusted IP to access Solr API

Reference link

1. https://issues.apache.org/jira/browse/SOLR-14925

2. https://issues.apache.org/jira/browse/SOLR-14663

3. https://www.mail-archive.com/announce@apache.org/msg06149.html

H3C security emergency response external service

H3C advocates that every effort be made to safeguard the ultimate interests of product users, to abide by principles of responsible disclosure of security incidents, and to handle product security issues in accordance with security issues mechanisms. For information on H3C's security emergency response service and H3C product vulnerabilities, please visit https://www.h3c.com/en/Support/Online_Help/psirt/.