Apache Solr Configuration Issue More Severe Than Originally Thought - Binary Defense

Threat Watch

Stay informed of cybersecurity news & events

Threat Watch Apache Solr Configuration Issue More Severe Than Originally Thought

Apache Solr Configuration Issue More Severe Than Originally Thought

An Apache Solr configuration issue reported in July is turning into a higher-severity issue than originally thought. Solr is an enterprise search platform that powers the search feature of many of the world’s largest websites. After a user named “jnyryan” reported the issue to Apache, the Apache Solr team categorized it as low priority because it was assumed that the only data exposed would be Solr monitoring data, which is not sensitive. CVE-2019-12409 is a vulnerability caused by a default configuration option exposing Apache Solr to any remote connection over port 18983. At least two proof of concept remote code execution scripts has been published to GitHub since the original vulnerability was disclosed, causing Apache to realize just how serious the issue actually was. On November 18^th Apache updated its security advisory with a high severity rating.

ANALYST NOTES

Any time an advisory like this is released, it is highly recommended to read through it for affected versions and to check if an update or mitigation has been made available. In this particular case, the “ENABLE_REMOTE_JMX_OPTS” option in “solr.in.sh” should be set to “false” before restarting the Apache Solr instance. There is no need to update in this case, but future versions should have this option set by default. Enterprises that use Solr should check their firewall logs for any remote connections from suspicious IP addresses to port 18983 of any Solr deployments. Sources: https://www.zdnet.com/article/exploit-code-published-for-dangerous-apache-solr-remote-code-execution-flaw/, https://lucene.apache.org/solr/news.html