Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN069
_____________________________________________________________________

DATE                : 23/01/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Solr versions prior to
                                       9.10.1.

=====================================================================
https://lists.apache.org/thread/qkrb9dd4xrlqmmq73lrhkbfkttto2d1m
https://lists.apache.org/thread/d59hqbgo7p62myq7mgfpz7or8n1j7wbn
_____________________________________________________________________

CVE-2026-22444: Apache Solr: Insufficient file-access checking in 
standalone core-creation requests
Severity: moderate 

Affected versions:

- Apache Solr 8.6 through 9.10.0

Description:

The "create core" API of Apache Solr 8.6 through 9.10.0 lacks 
sufficient input validation on some API parameters, which can cause 
Solr to check the existence of and attempt to read file-system paths 
that should be disallowed by Solr's  "allowPaths" security setting 
https://https://solr.apache.org/guide/solr/latest/configuration-guide/c
onfiguring-solr-xml.html#the-solr-element .  These read-only accesses 
can allow users to create cores using unexpected configsets if any are 
accessible via the filesystem.  On Windows systems configured to allow 
UNC paths this can additionally cause disclosure of NTLM "user" 
hashes. 

Solr deployments are subject to this vulnerability if they meet the 
following criteria:
  *  Solr is running in its "standalone" mode.
  *  Solr's "allowPath" setting is being used to restrict file access 
to certain directories.
  *  Solr's "create core" API is exposed and accessible to untrusted 
users.  This can happen if Solr's  RuleBasedAuthorizationPlugin 
https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based
-authorization-plugin.html  is disabled, or if it is enabled but the 
"core-admin-edit" predefined permission (or an equivalent custom 
permission) is given to low-trust (i.e. non-admin) user roles.

Users can mitigate this by enabling Solr's 
RuleBasedAuthorizationPlugin (if disabled) and configuring a 
permission-list that prevents untrusted users from creating new Solr 
cores.  Users should also upgrade to Apache Solr 9.10.1 or greater, 
which contain fixes for this issue.

This issue is being tracked as SOLR-18058 

Credit:

Damon Toey (finder)

References:

https://solr.apache.org
https://www.cve.org/CVERecord?id=CVE-2026-22444
https://issues.apache.org/jira/browse/SOLR-18058

_____________________________________________________________________

CVE-2026-22022: Apache Solr: Unauthorized bypass of certain 
"predefined permission" rules in the RuleBasedAuthorizationPlugin
Severity: moderate 

Affected versions:

- Apache Solr 5.3 through 9.10.0

Description:

Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's 
"Rule Based Authorization Plugin" are vulnerable to allowing 
unauthorized access to certain Solr APIs, due to insufficiently strict 
input validation in those components.  Only deployments that meet all 
of the following criteria are impacted by this vulnerability:

  *  Use of Solr's "RuleBasedAuthorizationPlugin"
  *  A RuleBasedAuthorizationPlugin config (see security.json) that 
specifies multiple "roles"
  *  A RuleBasedAuthorizationPlugin permission list (see 
security.json) that uses one or more of the following pre-defined 
permission rules: "config-read", "config-edit", "schema-read", 
"metrics-read", or "security-read".
  *  A RuleBasedAuthorizationPlugin permission list that doesn't 
define the "all" pre-defined permission
  *  A networking setup that allows clients to make unfiltered network 
requests to Solr. (i.e. user-submitted HTTP/HTTPS requests reach 
Solr as-is, unmodified or restricted by any intervening proxy or 
gateway)

Users can mitigate this vulnerability by ensuring that their 
RuleBasedAuthorizationPlugin configuration specifies the "all" 
pre-defined permission and associates the permission with an "admin" 
or other privileged role.  Users can also upgrade to a Solr version 
outside of the impacted range, such as the recently released Solr 
9.10.1.

This issue is being tracked as SOLR-18054 

Credit:

monkeontheroof (finder)

References:

https://solr.apache.org
https://www.cve.org/CVERecord?id=CVE-2026-22022
https://issues.apache.org/jira/browse/SOLR-18054


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================