A firm of network security specialists has reported the emergence of a security vulnerability in the Apache Solr platform, whose developers have been placed under continuous review due to the announcement of a supposed exploit. If exploited, this vulnerability would allow a threat actor to remotely execute code in Solr by sending specially designed network traffic.
The vulnerability, tracked as CVE-2017-12629, was first reported last July and corrected in August 2019. The issue arose as a low-priority warning regarding access to the Java Management Extensions (JMX) port; threat actors could access the monitoring data exposed through this port, the network security report mentions. Shortly after the first report, the researchers had to reconsider the severity of the flaw to the point where it was considered a critical error.
Finally, public disclosure of the critical
vulnerability was issued this week. Apparently, the flaw is due to a
configuration issue in the file solr.in.sh in Apache Solr. The report mentions
that “an unauthenticated hacker with access to the RMI port could exploit
the vulnerability to load malicious code on the server and install a shell for
a second stage of attack”.
Scott Caveza, a network security specialist who
reported the vulnerability as critical, mentions that its presence is limited
to Apache Solr versions 8.1.1 and 8.2.0. In addition, he notes that anyone with
access to a vulnerable Solr server could load the malicious code needed to
exploit the flaw.
While the flaw is critical, it’s not all bad
news. To fix the vulnerability, system administrators can upgrade Apache Solr
to the latest version (8.3), or change the vulnerable file settings to
ENABLE_REMOTE_JMX_OPTS, experts from the International Institute of Cyber
Security (IICS). This change can be confirmed by ensuring that the
com.sun.management.jmxremote properties are not listed in the Solr Admin
interface in the Java Properties section.
The full report, as well as instructions for
fixing the vulnerability and updating affected systems, is available on the
official developer platform.