CVE-2020-13957: The checks added to unauthenticated configset uploads can be circumvented

Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
6.6.0 to 6.6.6
7.0.0 to 7.7.3
8.0.0 to 8.6.2

Description:
Solr prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.

Mitigation:
Any of the following are enough to prevent this vulnerability:

• Disable UPLOAD command in ConfigSets API if not used by setting the system property: configset.upload.enabled to false [1]
• Use Authentication/Authorization and make sure unknown requests aren't allowed [2]
• Upgrade to Solr 8.6.3 or greater.
• If upgrading is not an option, consider applying the patch in SOLR-14663 ([3])
• No Solr API, including the Admin UI, is designed to be exposed to non-trusted parties. Tune your firewall so that only trusted computers and people are allowed access

Credit:
Tomás Fernández Löbbe, András Salamon

References:
[1] https://lucene.apache.org/solr/guide/8_6/configsets-api.html
[2] https://lucene.apache.org/solr/guide/8_6/authentication-and-authorization-plugins.html
[3] https://issues.apache.org/jira/browse/SOLR-14663
[4] https://issues.apache.org/jira/browse/SOLR-14925
[5] https://wiki.apache.org/solr/SolrSecurity