Operating System:

[WIN][UNIX/Linux]

Published:

02 March 2020

Protect yourself against future threats.

//Service

Phishing Take-Down

Drawing on our strong international CERT relationships we have a high success rate in delivering phishing take-downs.

Read more
Resources > Security Bulletins > ESB-2020.0757 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.0757
              Apache Solr RCE through VelocityResponseWriter
                               2 March 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Apache Solr
Publisher:         The Apache Software Foundation
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
Resolution:        Mitigation
CVE Names:         CVE-2019-17558  

Original Bulletin: 
   https://lucene.apache.org/solr/security.html

- --------------------------BEGIN INCLUDED TEXT--------------------

2019-12-30, CVE-2019-17558: Apache Solr RCE through VelocityResponseWriter 

Severity: High

Vendor: The Apache Software Foundation

Versions Affected: 5.0.0 to 8.3.1

Description:

The affected versions are vulnerable to a Remote Code Execution through the
VelocityResponseWriter. A Velocity template can be provided through Velocity
templates in a configset velocity/ directory or as a parameter. A user defined
configset could contain renderable, potentially malicious, templates. Parameter
provided templates are disabled by default, but can be enabled by setting
params.resource.loader.enabled by defining a response writer with that setting
set to true. Defining a response writer requires configuration API access.

Solr 8.4 removed the params resource loader entirely, and only enables the
configset-provided template rendering when the configset is trusted (has been
uploaded by an authenticated user).

Mitigation:

Ensure your network settings are configured so that only trusted traffic
communicates with Solr, especially to the configuration APIs.

Credit:
Github user s00py

References:

  o https://issues.apache.org/jira/browse/SOLR-13971
  o https://issues.apache.org/jira/browse/SOLR-14025
  o https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXlyY7maOgq3Tt24GAQjCGBAA0f837CCVQ5KVES2WrB/hwoVHa8xln37n
hxobhigomLfLRdeEv6vKaW4h84xLI2KX1fz+bRQceC9y4b4sbhZqPol3T5VvC2Iq
J0ZIsRJyggnpQ8w+iS8A+j0Se2GiTCEmLum2GlC7Tr2hfT4Ss7AbJjCHZ5T1Gzv1
eq0d1OPM3xZIf0kiuAiZsKVoBkDe1/Vlbv29P+s5xv8qyVxGCtcIZGEIKTEwZk08
EGh1GhCvGTM5gnnuCIjk8KKVOEb4jkB6K8IxVRM/Cl+72Qcpd3P2dN6LxK+3wR6w
6MPRV9X5N2AOkYJvl4m8RvghCkY5vbzXlskcfpE5B3rzupJqQEI4Rnorq7abSNrR
TYJcEF6ARCW6o7UwFIoVi8UZBfQhV90uGLgrqE1dOQeCAClqmpR1FD14jLWm+Tv1
jO0v+HU+o2Xr6z+NDmFOt6im22eO6U/MkN7ahC8ajk6xnfJbHRbYT4rnoP/9y9o6
OzquGuQC3CSwyBU3GIQ0mBOGz5p2HxlIWZprE+wdE00jBKD8lsDk+12q98A6ZRSZ
JyqFK56WquQm6ZGM1iCo5HNqQyUiFgKFR8q0GzO2YSnUa8Z+4e6X2smePFeZSC8M
T6GhcOxJFSQEZiBLHee6HjLfBLnr2WeLoMimFzQOFMqgXlP3IRcyjfvJeJJ4b3vX
SC4UNHc/GOU=
=D2Ei
-----END PGP SIGNATURE-----