===================================================================== CERT-Renater Note d'Information No. 2021/VULN667 _____________________________________________________________________ DATE : 20/12/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Solr versions prior to 8.11.1. ===================================================================== https://solr.apache.org/security.html#cve-2021-44548-apache-solr-information-disclosure-vulnerability-through-dataimporthandler https://solr.apache.org/security.html#cve-2021-44548-apache-solr-information-disclosure-vulnerability-through-dataimporthandler _____________________________________________________________________ 2021-12-18, CVE-2021-44548: Apache Solr information disclosure vulnerability through DataImportHandler Severity: Moderate Versions Affected: All versions prior to 8.11.1. Affected platforms: Windows. Description: An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows. Mitigation: Upgrade to Solr 8.11.1, and/or ensure only trusted clients can make requests to Solr's DataImport handler. Credit: Apache Solr would like to thank LaiHan of Nsfocus security team for reporting the issue References: Jira issue SOLR-15826 _____________________________________________________________________ 2021-12-10, Apache Solr affected by Apache Log4J CVE-2021-44228 Severity: Critical Versions Affected: 7.4.0 to 7.7.3, 8.0.0 to 8.11.0 Description: Apache Solr releases prior to 8.11.1 were using a bundled version of the Apache Log4J library vulnerable to RCE. For full impact and additional detail consult the Log4J security page. Apache Solr releases prior to 7.4 (i.e. Solr 5, Solr 6, and Solr 7 through 7.3) use Log4J 1.2.17 which may be vulnerable for installations using non-default logging configurations that include the JMS Appender, see https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 for discussion. Solr's Prometheus Exporter uses Log4J as well but it does not log user input or data, so we don't see a risk there. Apache Solr releases are not vulnerable to the followup CVE-2021-45046 and CVE-2021-45105, because the MDC patterns used by Solr are for the collection, shard, replica, core and node names, and a potential trace id, which are all sanitized and injected into log files with "%X". Passing system property log4j2.formatMsgNoLookups=true (as described below) is suitable to mitigate. Mitigation: Any of the following are enough to prevent this vulnerability for Solr servers: Upgrade to Solr 8.11.1 or greater (when available), which will include an updated version (>= 2.16.0) of the Log4J dependency. If you are using Solr's official docker image, it has already been mitigated in all versions listed as supported on Docker Hub: https://hub.docker.com/_/solr. You may need to re-pull the image. Manually update the version of Log4J on your runtime classpath and restart your Solr application. (Linux/MacOS) Edit your solr.in.sh file to include: SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true" (Windows) Edit your solr.in.cmd file to include: set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true Follow any of the other mitgations listed at https://logging.apache.org/log4j/2.x/security.html References: https://logging.apache.org/log4j/2.x/security.html ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================