[ https://issues.apache.org/jira/browse/SOLR-13647?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16976524#comment-16976524 ]
Jan Høydahl commented on SOLR-13647: ------------------------------------ Updated announcement with CVE number published to solr-user@ general@ and announce@apache lists. > CVE-2019-12409: Apache Solr RCE vulnerability due to bad config default > ----------------------------------------------------------------------- > > Key: SOLR-13647 > URL: https://issues.apache.org/jira/browse/SOLR-13647 > Project: Solr > Issue Type: Bug > Affects Versions: 8.1.1 > Reporter: John > Assignee: Jan Høydahl > Priority: Major > Fix For: 8.3 > > Time Spent: 1h 10m > Remaining Estimate: 0h > > This issue originally had the title "default solr.in.sh contains uncommented > lines" and told users to check their {{solr.in.sh}} file. Later we upgraded > the severity of this due to risk of remote code execution, acquired a CVE > number and issued the public annoucement quoted below. > {noformat} > CVE-2019-12409: Apache Solr RCE vulnerability due to bad config default > Severity: High > Vendor: > The Apache Software Foundation > Versions Affected: > Solr 8.1.1 and 8.2.0 for Linux > Description: The 8.1.1 and 8.2.0 releases of Apache Solr contain an > insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option > in the default solr.in.sh configuration file shipping with Solr. > Windows users are not affected. > If you use the default solr.in.sh file from the affected releases, then > JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), > without any authentication. If this port is opened for inbound traffic > in your firewall, then anyone with network access to your Solr nodes > will be able to access JMX, which may in turn allow them to upload > malicious code for execution on the Solr server. > The vulnerability is already public [1] and mitigation steps were > announced on project mailing lists and news page [3] on August 14th, > without mentioning RCE at that time. > Mitigation: > Make sure your effective solr.in.sh file has ENABLE_REMOTE_JMX_OPTS set > to 'false' on every Solr node and then restart Solr. Note that the > effective solr.in.sh file may reside in /etc/defaults/ or another > location depending on the install. You can then validate that the > 'com.sun.management.jmxremote*' family of properties are not listed in > the "Java Properties" section of the Solr Admin UI, or configured in a > secure way. > There is no need to upgrade or update any code. > Remember to follow the Solr Documentation's advice to never expose Solr > nodes directly in a hostile network environment. > Credit: > Matei "Mal" Badanoiu > Solr JIRA user 'jnyryan' (John) > References: > [1] https://issues.apache.org/jira/browse/SOLR-13647 > [3] https://lucene.apache.org/solr/news.html > {noformat} -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org