Security Announcement-Statement on Apache Solr ConfigSet File Upload Vulnerability CVE-2020-13957
19-04-2021Overview
The background of security vulnerability
Apache Solr is an enterprise-level search platform developed in Java and implemented based on Apache Lucene. It supports REST-like API interfaces, provides distributed indexing, centralized configuration and other functions. At present, many companies use Solr to implement their search and navigation functions. Recently, the Xinhua Three Offensive and Defense Laboratory monitored that Apache officially updated a notice about fixing the file upload vulnerability of Apache Solr Configset API, and carried out tracking and analysis.
The vulnerability description
If you upload configuration files through the ConfigSet API without authentication, Apache Solr will disable some dangerous functions that can be used for remote code execution by default. A remote attacker can use this vulnerability to combine the UPLOAD/CREATE commands to achieve unauthorized operations. Modify the parameters in the configuration file to cause remote code execution and obtain server permissions.
The scope of influence
Severity level: high risk
Scope of influence:
ApacheSolr 6.6.0 - 6.6.5\ApacheSolr 7.0.0 - 7.7.3\ApacheSolr 8.0.0 - 8.6.2
Solution
The official patch
1. Apache Solr has officially fixed the vulnerability in the new version. Please upgrade to Solr8.6.3 and above. Download link: https://lucene.apache.org/solr/downloads.html
2. If you cannot upgrade, you can use the patch in the SOLR-14663 announcement, refer to the link: https://issues.apache.org/jira/browse/SOLR-14663
The temporary Solution
1. If the ConfigSets API is not used in the environment, you can disable the UPLOAD command, -Dconfigset.upload.enabled=false, refer to the link for details: https://lucene.apache.org/solr/guide/8_6/configsets-api.html
2. To use identity authentication, please refer to the link for details: https://lucene.apache.org/solr/guide/8_6/authentication-and-authorization-plugins.html
3. Set access whitelist, only allow trusted IP to access Solr API
Reference link
1. https://issues.apache.org/jira/browse/SOLR-14925
2. https://issues.apache.org/jira/browse/SOLR-14663
3. https://www.mail-archive.com/announce@apache.org/msg06149.html
H3C security emergency response external service
H3C advocates that every effort be made to safeguard the ultimate interests of product users, to abide by principles of responsible disclosure of security incidents, and to handle product security issues in accordance with security issues mechanisms. For information on H3C's security emergency response service and H3C product vulnerabilities, please visit https://www.h3c.com/en/Support/Online_Help/psirt/.