[
https://issues.apache.org/jira/browse/SOLR-13647?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16976524#comment-16976524
]
Jan Høydahl commented on SOLR-13647:
------------------------------------
Updated announcement with CVE number published to solr-user@ general@ and
announce@apache lists.
> CVE-2019-12409: Apache Solr RCE vulnerability due to bad config default
> -----------------------------------------------------------------------
>
> Key: SOLR-13647
> URL: https://issues.apache.org/jira/browse/SOLR-13647
> Project: Solr
> Issue Type: Bug
> Affects Versions: 8.1.1
> Reporter: John
> Assignee: Jan Høydahl
> Priority: Major
> Fix For: 8.3
>
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> This issue originally had the title "default solr.in.sh contains uncommented
> lines" and told users to check their {{solr.in.sh}} file. Later we upgraded
> the severity of this due to risk of remote code execution, acquired a CVE
> number and issued the public annoucement quoted below.
> {noformat}
> CVE-2019-12409: Apache Solr RCE vulnerability due to bad config default
> Severity: High
> Vendor:
> The Apache Software Foundation
> Versions Affected:
> Solr 8.1.1 and 8.2.0 for Linux
> Description: The 8.1.1 and 8.2.0 releases of Apache Solr contain an
> insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option
> in the default solr.in.sh configuration file shipping with Solr.
> Windows users are not affected.
> If you use the default solr.in.sh file from the affected releases, then
> JMX monitoring will be enabled and exposed on RMI_PORT (default=18983),
> without any authentication. If this port is opened for inbound traffic
> in your firewall, then anyone with network access to your Solr nodes
> will be able to access JMX, which may in turn allow them to upload
> malicious code for execution on the Solr server.
> The vulnerability is already public [1] and mitigation steps were
> announced on project mailing lists and news page [3] on August 14th,
> without mentioning RCE at that time.
> Mitigation:
> Make sure your effective solr.in.sh file has ENABLE_REMOTE_JMX_OPTS set
> to 'false' on every Solr node and then restart Solr. Note that the
> effective solr.in.sh file may reside in /etc/defaults/ or another
> location depending on the install. You can then validate that the
> 'com.sun.management.jmxremote*' family of properties are not listed in
> the "Java Properties" section of the Solr Admin UI, or configured in a
> secure way.
> There is no need to upgrade or update any code.
> Remember to follow the Solr Documentation's advice to never expose Solr
> nodes directly in a hostile network environment.
> Credit:
> Matei "Mal" Badanoiu
> Solr JIRA user 'jnyryan' (John)
> References:
> [1] https://issues.apache.org/jira/browse/SOLR-13647
> [3] https://lucene.apache.org/solr/news.html
> {noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
