Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-13301

[CVE-2019-0192] Deserialization of untrusted data via jmx.serviceUrl

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Information Provided
    • Affects Version/s: 5.0, 5.1, 5.2, 5.2.1, 5.3, 5.3.1, 5.3.2, 5.4, 5.4.1, 5.5, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 6.0, 6.0.1, 6.1, 6.1.1, 6.2, 6.2.1, 6.3, 6.4, 6.4.1, 6.4.2, 6.5, 6.5.1, 6.6, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5
    • Fix Version/s: 6.6.6, 7.0
    • Component/s: config-api
    • Labels:
      None

      Description

      From the vulnerability reporter:

      ConfigAPI allows to set a jmx.serviceUrl that will create a new JMXConnectorServerFactory and trigger a call with 'bind' operation to a target RMI/LDAP server. A malicious RMI server could respond with arbitrary object that will be deserialized on the Solr side using java's ObjectInputStream, which is considered unsafe. This type of vulnerabilities can be exploited with ysoserial tool. Depending on the target classpath, an attacker can use one of the "gadget chains" to trigger Remote Code Execution on the Solr side.

      Mitigation:
      Any of the following are enough to prevent this vulnerability:

      • Upgrade to Apache Solr 7.0 or later.
      • Disable the ConfigAPI if not in use, by running Solr with the system property disable.configEdit=true
      • If upgrading or disabling the Config API are not viable options, apply SOLR-13301.patch and re-compile Solr.
      • Ensure your network settings are configured so that only trusted traffic is allowed to ingress/egress your hosts running Solr.

      Since Solr 7.0, JMX server is no longer configurable via API

        Attachments

        1. SOLR-13301.patch
          1 kB
          Tomás Fernández Löbbe
        2. SOLR-13301-5_5.patch
          1 kB
          Tomás Fernández Löbbe

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              tomasflobbe Tomás Fernández Löbbe
            • Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: