Apache Solr Remote Code Execution vulnerability exploit code published

A security researcher has published a proof of concept (PoC) for exploit code of an Apache Solr remote code execution vulnerability CVE-2019-12409.

The Apache Software Foundation posted a new security advisory last week for an Apache Solr RCE vulnerability due to bad configuration (CVE-2019-12409). Apache Solr is a popular open-source search platform built on Apache Lucene.

A summary of the configuration issue as noted in the advisory:

“The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr.”

In other words, administrators should update the default configuration and solr.in.sh file used in impacted releases. By default, the JMX monitoring will be enabled and exposed on RMI_PORT (default port of 18983) without any user authentication.

As a consequence, if your organization’s firewalls are opened to allow this port for inbound traffic, anyone with network access to your Solr nodes will be able to access JMX. Attackers could then upload malicious code for execution on impacted Solr systems.

Researchers from Tenable confirmed on October 29 that PoC code for the RCE vulnerability was published on GitHub Gist.

Apache said there is no upgrade needed, but recommended the following mitigation to address the vulnerability:

“Make sure your effective solr.in.sh file has ENABLE_REMOTE_JMX_OPTS set to ‘false’ on every Solr node and then restart Solr. Note that the effective solr.in.sh file may reside in /etc/defaults/ or another location depending on the install. You can then validate that the ‘com.sun.management.jmxremote*’ family of properties are not listed in the “Java Properties” section of the Solr Admin UI, or configured in a secure way.”

Organizations are also reminded to follow the Solr Documentation’s guidance to “never expose Solr nodes directly in a hostile network environment.” With recent PoC code now made publicly available, security experts warns that active exploits in the wild may only be days or weeks away.