Hi -
There are many "vulnerabilities" that can be enabled when one has
administrative access to Solr, with this being one example. The setting
mentioned defaults to false, and requires admin access to enable.
The warning from the Solr Reference Guide is worth repeating here:
>> No Solr API, including the Admin UI, is designed to be exposed to
>> non-trusted parties.
Turning on authentication is the first step I'd recommend.
Erik
> On Oct 31, 2019, at 11:45 PM, Huawei PSIRT <ps...@huawei.com> wrote:
>
> Dear,
>
>
>
> This is Huawei PSIRT. We have learned that a security researcher
> <https://gist.github.com/s00py/a1ba36a3689fa13759ff910e179fc133> released an
> Apache Solr RCE suspected vulnerability on October 31, 2019.
>
> The links are as follow:
> https://meterpreter.org/unpatch-apache-solr-remote-command-execution-vulnera
> bility-alert/
>
> https://gist.github.com/s00py/a1ba36a3689fa13759ff910e179fc133
>
>
>
> We want to confirm if the issue exists. If it exists, when will the
> patches be released ?
>
> Looking forward to your reply. Thank you.
>
>
>
> Best Regards,
>
> Huawei PSIRT
>
