Some of you may have seen an article earlier this week by ZDNet describing two vulnerabilities in Apache Solr that have also been published elsewhere. The Lucene PMC would like to update our user community about what we have done and are doing to address the two issues.
The first issue noted, CVE-2019-12409, was announced a couple of weeks ago and exists in Solr 8.1.1-8.2.0. This issue was caused by a bad default option in the ‘solr.in.sh' configuration file to allow remote JMX connections by default and can be mitigated by changing the setting. More details are in the mailing list announcement here: https://s.apache.org/98nsn. Solr 8.3.0 properly sets the correct default option. The second issue allows Remote Code Execution through custom Velocity templates. This issue now has a CVE: 2019-17558. It affects versions 7.0.0 through 8.3.0. Solr is working on an 8.3.1 release to fix this bug; we are voting on a release candidate now and it should be released by early next week. We will make a formal announcement about it and update the CVE databases when 8.3.1 is released. We will likely also release a 7.7.3 for users still on 7.x, but have not initiated that release process yet. This vulnerability is only available to attackers if these conditions are in place: 1. You have not disabled the Config API, or do not restrict access to the Config API via authentication/authorization settings 2. You allow connections to Solr APIs from outside your firewall You can mitigate this vulnerability right now by setting the system parameter “-Ddisable.configEdit=true” and restarting Solr. If you already have secured Solr behind a firewall and you have authentication for all users in place, then we believe your risk of this bug is very low. If you don’t use the Config API, we’d recommend disabling it even if you have a firewall and authentication in place. In future releases, we plan to minimize the set of enabled, pre-configured plugins in Solr's default configset. This will not only reduce security risks but will also be a simplification. A new plugin management system is coming soon, and we will look to use that as much as possible to make Solr as secure as possible out of the box. We'd like to make sure everyone is aware of the wiki page that the PMC maintains about known vulnerabilities: https://cwiki.apache.org/confluence/display/solr/SolrSecurity. This page provides a straightforward way to know what vulnerabilities have been discovered to date, if your version is impacted, and how to mitigate your risks. Now is also a great time to take a few moments to review how you have secured your Solr installation. You should always put Solr behind a firewall, require SSL, and implement authentication for all users at a minimum. These steps make any attack more difficult to execute. Historically, there have been very few vulnerabilities reported to Solr that did not first require a bad actor to have unauthorized access to the system. As with any system, adopting a defense-in-depth approach to securing Solr is a best practice. Be sure to refer to the Solr Reference Guide section for more details about available configuration options: https://lucene.apache.org/solr/guide/securing-solr.html. If you have questions about securing Solr after reviewing available information and documentation, please feel free to ask a question on this mailing list and we will work to get you a response as quickly as we can. To report a suspected vulnerability, please email secur...@lucene.apache.org . Best Regards, The Lucene PMC
