According to penetration testing specialists, a few weeks ago it was reported the finding of a zero-day vulnerability in Apache Solr, an open source enterprise search platform used by some major companies such as Adobe, Bloomber, eBay, Instagram and Netflix. Although there is even a published proof of concept, the risk of exploitation is still present.
In addition to this report, two new remote code execution vulnerabilities have emerged. The first of these flaws, tracked as CVE-2019-12409, was corrected by the Apache Solr team. On the other hand, the second vulnerability (which does not yet have identification code) remains unpatched.
The first vulnerability, reported by penetration testing expert John Ryan last July, had been considered medium severity at first. However, the researcher Matei Badanoiu has recently demonstrated that the vulnerability could be exploited to deploy a remote code execution attack, so it was reclassified as a highly serious vulnerability.
Criticism from the cybersecurity community was expected, as many believe that the initial diagnosis put dozens or even hundreds of companies at risk. Because proof-of-concept code was published on GitHub within anyone’s reach, it was highly likely that attacks began to be reported in the wild.
In this regard, Apache Solr issued a statement mentioning: “Solr versions 8.1.1 and 8.2.0 are affected by an unsafe configuration for the configuration option ENABLE_REMOTE_JMX_OPTS in the default configuration file solr.in.sh; Windows deployments are unaffected by this flaw.”
According to penetration testing experts, if a default file is used solr.in.sh on the affected versions, JMX monitoring will be enabled, exposing RMI_PORT without authentication. This scenario would allow a threat actor to access JMX, load malicious code, and run it on the Solr server.
As for the second vulnerability, a proof-of-concept was published as a GitHub Gist (code snippets published on the platform); as reported by Tenable security firm experts, the proof of concept was improperly published as it was ignored whether the company had already developed a correction.
It has been confirmed that Apache Solr versions between 7.2.2 and 8.3, the latest version, are vulnerable. In addition Tenable researchers believe that it is possible that some older versions that include the configuration API might also be vulnerable.
According to penetration testing specialists at the International Institute of Cyber Security (IICS), it is highly likely that threat actors have already accessed proof-of-concept, so we are ahead of a massive campaign of exploitation of this flaw. Even though the proof of concept is no longer on GitHub, it should be possible to find it in one of the many hacking forums on dark web.
As a precaution, server administrators should update their security settings according to the recommendations issued by each vendor, in addition to performing some tests to verify that their systems have not been previously attacked and implement authentication.