==================================================================== CERT-Renater Note d'Information No. 2020/VULN216 _____________________________________________________________________ DATE : 20/04/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Solr versions prior to 8.4. ===================================================================== https://lucene.apache.org/solr/security.html#cve-2019-17558-apache-solr-rce-through-velocityresponsewriter _____________________________________________________________________ [CVE-2019-17558] Apache Solr RCE through VelocityResponseWriter Severity: High Vendor: The Apache Software Foundation Versions Affected: 5.0.0 to 8.3.1 Description: The affected versions are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity (.vm) templates in a configset `velocity/` directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting `params.resource.loader.enabled` by defining a response writer with that setting set to `true`. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is `trusted` (has been uploaded by an authenticated user). Mitigation: Ensure your network settings are configured so that only trusted traffic communicates with Solr, especially to the configuration APIs. Credits: Github user `s00py` References: * https://cwiki.apache.org/confluence/display/solr/SolrSecurity * https://issues.apache.org/jira/browse/SOLR-13971 * https://issues.apache.org/jira/browse/SOLR-14025 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================