====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN568
_____________________________________________________________________

DATE                : 13/10/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Solr versions prior to
                                         8.6.3.

=====================================================================
http://mail-archives.apache.org/mod_mbox/www-announce/202010.mbox/%3cCAECwjAWCVLoVaZy=TNRQ6Wk9KWVxdPRiGS8NT+PHMJCxbbsEVg@mail.gmail.com%3e
_____________________________________________________________________

Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
6.6.0 to 6.6.5
7.0.0 to 7.7.3
8.0.0 to 8.6.2

Description:
Solr prevents some features considered dangerous (which could be used
for remote code execution) to be configured in a ConfigSet that's
uploaded via API without authentication/authorization. The checks in
place to prevent such features can be circumvented by using a
combination of UPLOAD/CREATE actions.


Mitigation:
Any of the following are enough to prevent this vulnerability:
* Disable UPLOAD command in ConfigSets API if not used by setting the
system property: "configset.upload.enabled" to "false" [1]
* Use Authentication/Authorization and make sure unknown requests aren't
allowed [2]
* Upgrade to Solr 8.6.3 or greater.
* If upgrading is not an option, consider applying the patch in SOLR-14663
([3])
* No Solr API, including the Admin UI, is designed to be exposed to
non-trusted parties. Tune your firewall so that only trusted computers
and people are allowed access


Credit:
Tomás Fernández Löbbe, András Salamon


References:
[1] https://lucene.apache.org/solr/guide/8_6/configsets-api.html
[2]
https://lucene.apache.org/solr/guide/8_6/authentication-and-authorization-plugins.html
[3] https://issues.apache.org/jira/browse/SOLR-14663
[4] https://issues.apache.org/jira/browse/SOLR-14925
[5] https://wiki.apache.org/solr/SolrSecurity


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================