19 November 2019
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4379 CVE-2019-12409: Apache Solr RCE vulnerability due to bad config default 19 November 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apache Solr Publisher: The Apache Software Foundation Operating System: Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Mitigation CVE Names: CVE-2019-12409 Original Bulletin: https://issues.apache.org/jira/browse/SOLR-13647 - --------------------------BEGIN INCLUDED TEXT-------------------- CVE-2019-12409: Apache Solr RCE vulnerability due to bad config default Severity: High Vendor: The Apache Software Foundation Versions Affected: Solr 8.1.1 and 8.2.0 for Linux Description: The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr. Windows users are not affected. If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=3D18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server. The vulnerability is already public  and mitigation steps were announced on project mailing lists and news page  on August 14th, without mentioning RCE at that time. Mitigation: Make sure your effective solr.in.sh file has ENABLE_REMOTE_JMX_OPTS set to 'false' on every Solr node and then restart Solr. Note that the effective solr.in.sh file may reside in /etc/defaults/ or another location depending on the install. You can then validate that the 'com.sun.management.jmxremote*' family of properties are not listed in the "Java Properties" section of the Solr Admin UI, or configured in a secure way. There is no need to upgrade or update any code. Remember to follow the Solr Documentation's advice to never expose Solr nodes directly in a hostile network environment. Credit: Matei "Mal" Badanoiu Solr JIRA user 'jnyryan' (John) References:  https://issues.apache.org/jira/browse/SOLR-13647  https://lucene.apache.org/solr/news.html - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXdOIE2aOgq3Tt24GAQgIzA//ealwk9kIfo6VCyYSp/KmLvqhgqiAy3zf pDbbRjVD+aay6o8mcQ2/S6lbT+NMmU+pps6aAc5XUQ0gMFvvReHqztKrW7gYB36S iPcchKKRwG2pp9dlTUxLijXM0eHdzaMpkrD1DmWeXQ8MbF1Ycj7yatISulykrxjI 6OAUjrzqz5vncQqb93PJ2Gi3yQmDExMVPeyCExZk8HC2AXFc7fAV+WUiGDQ+edwh odF5hxH5wOJ4BnOMKokTeqdAfOEJJyarQCUbopZmUBMQCrwiIU4ZHX4E2y44JGIp lA+rBn2d8gFnAJSTO8wtBBBsZRHV9OjUzVQorrsMqtZfv5vG9zsHsqb+541CtlWg kqgNQQ1o/bVdV0h92U0EbGf5VjcDF/JR2Vt6ViCjxEREQ20ykTEBzjskfb6TshWM ujxkAI5eqYnmyKzi+dovEmtElMrmL42lgGmROogL6A/cIGE2qmegYZ784K2kENCc 61tIOWttffYBGcrjPN3we1m6fRN6bK3uubuzyWc9XAP2QqrjWOGKfVyMjZ0S2fuf 4mSLCQcgZsQ3z9NVP/oS6/+F4lFGsdXmhA1A3volHikWpx+E1iiZjJ8uJn4BtMNT esDfYgj9blOdzwuI8IgMpSGaL5+yhARPNQ0+rdUkmz0sCedpCmjX6kETryDcfRNW CF9gqGFi838= =ns/L -----END PGP SIGNATURE-----