A bug impacting the Linux enterprise-search platform called Apache Solr has been revised from low to high-severity after researchers discovered a new remote code execution exploit. The warning comes from Tenable, which is reporting that the newly-identified default configuration vulnerability could allow attackers to remotely execute code on affected hardware.
The vulnerability (CVE-2019-12409) was first reported in July and patched in August. “Originally, the issue surfaced as being a low severity warning where anyone with access to the Java Management Extensions (JMX) port would be able to access monitoring data exposed over JMX,” said Scott Caveza, research engineering manager at Tenable.
Since the bug was initially discovered, researchers have reevaluated the threat and escalated its severity to high-risk.
“It appears a researcher reported that remote code execution was achievable and the vendor revised the bug report to reflect this and add the CVE,” Caveza told Threatpost. “The original notice about the low severity issue was on August 14, but the JIRA issue with the bug report (originally filed in July) was amended and updated.”
Public disclosure and a security bulletin for the more serious RCE exploit was issued Tuesday. That flaw is tied to a configuration issue the solr.in.sh file in Apache Solr.
“An unauthenticated attacker with the ability to reach the RMI port could leverage the vulnerability to upload malicious code to the server and then install a shell to further compromise the machine,” Caveza said. RMI (remote method invocation) is code that allows one Java virtual machine (JVM) to speak to another remotely, allowing JVM objects to communicate.
Caveza said the vulnerability is limited to two versions of Apache Solr (8.1.1 and 8.2.0). The flaw is the default configuration of the solr.in.sh file in Apache Solr.
“Anyone with access to a vulnerable Solr server, and, in turn, Java Management Extensions, could upload malicious code that could then be executed,” according to the Tenable research blog.
The Fix
On the upside, the fix is relatively simple. System administrators can either update Apache Solr to version 8.3 or change the solr.in.sh file settings to ENABLE_REMOTE_JMX_OPTS, to the “false” parameter.
“The change can be confirmed by ensuring the com.sun.management.jmxremote properties are not listed in the Solr Admin interface under the Java Properties section,” Tenable wrote.
John Ryan originally reported the issue and credit was also given to Matei “Mal” Badanoiu for noting the flaw could lead to RCE.
Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.