Recently, Apache Solr fixed a vulnerability (CVE-2020-13957) in the Configsets API upload function. Attackers could perform unauthorized operations by using a combination of UPLOAD/CREATE actions, which might eventually lead to command execution.
Apache Solr is an enterprise search server that is based on Lucene.
When running Solr in SolrCloud mode, users could create, delete and manage configsets in other ways via Configsets API.
When a configset is uploaded by performing the UPLOAD operation via Configsets API, if authentication is enabled and the upload request has been authenticated, the configset is uploaded in “trusted” mode. Without authentication, the configset is uploaded in “untrusted” mode.
However, when the CREATE operation is performed via Configsets API, a new configset is created based on a configset that has been previously uploaded. The trusted flag of the new configset is not set, but the configset is deemed to be “trusted”.
Thus, when authentication is disabled for upload, if sensitive parameters in ConfigSet configuration files are modified and a new configset is created by performing the CREATE operation, the collection created by the new configset might cause command execution.
- Apache Solr 6.6.0 – 6.6.5
- Apache Solr 7.0.0 – 7.7.3
- Apache Solr 8.0.0 – 8.6.2
- Apache Solr version >= 8.6.3
The vendor has provided the new version 8.6.3 to fix the vulnerability, which can be downloaded from the following link: https://lucene.apache.org/solr/downloads.html.
Mitigations (Any of the following methods can defend against the vulnerability):
1. If the UPLOAD operation is not performed via Configsets API, you can disable the functionality:
Disable the functionality via a runtime parameter -Dconfigset.upload.enabled=false. For details, please click the following link: https://lucene.apache.org/solr/guide/8_6/configsets-api.html.
2. Enable authentication and authorization by clicking the following link:
3. If you cannot upgrade Solr temporarily, consider applying the patch SOLR-14663
4. Configure firewalls to restrict Solr API (including Admin UI) access to trusted IP addresses and users.
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA). A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.