CVE-2019-12409: Default Configuration in Apache Solr Could Lead to Remote Code Execution
Linux servers using Apache Solr versions 8.1.1 and 8.2.0 with default configurations are potentially vulnerable to remote code execution.
背景
On July 22, 2019, a configuration flaw in versions 8.1.1 and 8.2.0 was found in Apache Solr, the open-source search-engine platform. John Ryan originally reported the issue and credit was also given to Matei “Mal” Badanoiu for noting the flaw could lead to remote code execution (RCE).
分析
CVE-2019-12409 is a flaw in the default configuration of the solr.in.sh file in Apache Solr. If this file is used in its default configuration in versions 8.1.1 and 8.2.0, unauthenticated access to the Java Management Extensions (JMX) monitoring on the RMI_PORT (default 18983) is allowed. Anyone with access to a vulnerable Solr server, and, in turn, JMX, could upload malicious code that could then be executed.
概念验证
There is currently a proof of concept (PoC) available in a GitHub repository implementing the MJET script by MOGWAI LABS to create a reverse shell on a system with the vulnerable configuration.
CVE-2019-12409 Apache Solr RCE pic.twitter.com/NFClK5M5od
— Jas502n (@jas502n) November 19, 2019
解决方案
On November 18, Apache Solr revised the originally reported bug report after it was found that the flaw could lead to RCE. In addition, the Changelog highlighted this flaw as one of the fixes in Apache Solr version 8.3.
Per the security advisory, this vulnerability can also be remediated by setting the ENABLE_REMOTE_JMX_OPTS parameter to ’false’ in the solr.in.sh file. The change can be confirmed by ensuring the com.sun.management.jmxremote* properties are not listed in the Solr Admin interface under the Java Properties section.
识别受影响的系统
A list of Tenable plugins to identify this vulnerability will appear here as they’re released.
获取更多信息
- Solr Security Advisory
- Attacking RMI Based JMX Services
- Solr Bug Tracker for CVE-2019-12409
- GitHub Repository with PoC for CVE-2019-12409
加入 Tenable Community 中的 Tenable 安全响应团队
了解有关 Tenable 这款首创 Cyber Exposure 平台的更多信息,全面管理现代攻击面。
Get a free 60-day trial of Tenable.io Vulnerability Management.
相关文章
- Vulnerability Management