[
https://issues.apache.org/jira/browse/SOLR-18233?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jan Høydahl updated SOLR-18233:
-------------------------------
Description:
h2. The CVE text
Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth
enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote
attacker to gain full administrative access to the cluster via publicly known
default credentials installed silently alongside the user-specified account.
As an immediate workaround without upgrading, delete the template users
(superadmin, admin, search, index) from security.json or change their passwords.
Not affected:
* Clusters where bin/solr auth enable was not used to bootstrap BasicAuth
* Clusters where template users have been assigned strong passwords after
bootstrap
h2. Mitigation
If you came here from the link in the CVE, there is nothing more for you to do
than what is written above. Delete the template users or change their passwords.
h2. No code changes?
There will be code changes for
was:
h2. The CVE text
Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth
enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote
attacker to gain full administrative access to the cluster via publicly known
default credentials installed silently alongside the user-specified account.
As an immediate workaround without upgrading, delete the template users
(superadmin, admin, search, index) from security.json or change their passwords.
Not affected:
* Clusters where bin/solr auth enable was not used to bootstrap BasicAuth
* Clusters where template users have been assigned strong passwords after
bootstrap
h2. Mitigation
If you came here from the link in the CVE, there is nothing more for you to do
than what is written above. Delete the template users or change their passwords.
h2. What code changes this Jira will do
This Jira issue will add these changes in upcoming 9.11 and 10.1 releases:
* Remove the superadmin template user
* Do not set passwords for remaining template users, so operator needs to
change password
* Echo to console after use of {{bin/solr auth enable}} that users are created
and their passwords must be set
* Document the auth enable command better
> CVE-2026-44825 SolrCloud bin/solr hardcoded credentials
> -------------------------------------------------------
>
> Key: SOLR-18233
> URL: https://issues.apache.org/jira/browse/SOLR-18233
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Authentication, security
> Affects Versions: 9.4, 9.5, 9.6, 9.7, 9.8, 9.9, 9.10, 10.0, 9.10.1
> Reporter: Jan Høydahl
> Assignee: Jan Høydahl
> Priority: Blocker
> Fix For: 10.1, 9.11
>
>
> h2. The CVE text
> Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth
> enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a
> remote attacker to gain full administrative access to the cluster via
> publicly known default credentials installed silently alongside the
> user-specified account.
> As an immediate workaround without upgrading, delete the template users
> (superadmin, admin, search, index) from security.json or change their
> passwords.
> Not affected:
> * Clusters where bin/solr auth enable was not used to bootstrap BasicAuth
> * Clusters where template users have been assigned strong passwords after
> bootstrap
> h2. Mitigation
> If you came here from the link in the CVE, there is nothing more for you to
> do than what is written above. Delete the template users or change their
> passwords.
> h2. No code changes?
> There will be code changes for
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
