Critical vulnerability affecting Apache Solr is found

A firm of network security specialists has reported the emergence of a security vulnerability in the Apache Solr platform, whose developers have been placed under continuous review due to the announcement of a supposed exploit. If exploited, this vulnerability would allow a threat actor to remotely execute code in Solr by sending specially designed network traffic.

The vulnerability, tracked as CVE-2017-12629, was first reported last July and corrected in August 2019. The issue arose as a low-priority warning regarding access to the Java Management Extensions (JMX) port; threat actors could access the monitoring data exposed through this port, the network security report mentions. Shortly after the first report, the researchers had to reconsider the severity of the flaw to the point where it was considered a critical error.

Finally, public disclosure of the critical vulnerability was issued this week. Apparently, the flaw is due to a configuration issue in the file in Apache Solr. The report mentions that “an unauthenticated hacker with access to the RMI port could exploit the vulnerability to load malicious code on the server and install a shell for a second stage of attack”.

Scott Caveza, a network security specialist who reported the vulnerability as critical, mentions that its presence is limited to Apache Solr versions 8.1.1 and 8.2.0. In addition, he notes that anyone with access to a vulnerable Solr server could load the malicious code needed to exploit the flaw.

While the flaw is critical, it’s not all bad news. To fix the vulnerability, system administrators can upgrade Apache Solr to the latest version (8.3), or change the vulnerable file settings to ENABLE_REMOTE_JMX_OPTS, experts from the International Institute of Cyber Security (IICS). This change can be confirmed by ensuring that the properties are not listed in the Solr Admin interface in the Java Properties section.

The full report, as well as instructions for fixing the vulnerability and updating affected systems, is available on the official developer platform.