Blog
11.11.2020

CVE-2020-13957 Apache Solr RCE

Virsec Security Research Lab Vulnerability Analysis

The Virsec Security Research Lab provides detailed analysis on recent and notable security vulnerabilities.

1.1        Vulnerability Summary

Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.

Watch the video to learn more about this and other important vulnerabilities.

1.2        CVSS Score

The CVSS Base Score is 9.8 (Critical)

1.3        Affected Version

  • Apache Solr versions 6.6.0 to 6.6.6
  • Apache Solr versions 7.0.0 to 7.7.3
  • Apache Solr versions 8.0.0 to 8.6.2

The earliest vulnerable version was released on 06/06/2017. The exposure window is therefore over three years.

1.4        Vulnerability Attribution

This issue was reported publicly via the Apache Tomcat Users mailing list.

1.5        Risk Impact

Apache Solr is an open-source enterprise-search platform, written in Java, from the Apache Lucene project. Its major features include full-text search, hit highlighting, faceted search, real-time indexing, dynamic clustering, database integration, NoSQL features, and rich document handling.

A publicly disclosed exploit code is available here. Based on this link from 2010, Apache Solr has 31% share. Lot of companies use Apache Solr as part of their application stack for faster search, any such

vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS) and can cause loss of intellectual property data or could result in loss of million of dollars of business due to website being down.

1.6        Virsec Security Platform (VSP) Support

The Virsec Security Platform (VSP)-Host monitors processes that are spawned which are not part of a set of whitelisted process. Any attempt to execute new command or unknown binary would be denied by VSP-Host’s Process Monitoring capability.

VSP-Host FSM capability would also detect the attempt to place any malicious web shell on disk.

1.7        Reference Links

Download the full vulnerability report to learn more about this and other important vulnerabilities.

About the Author
Satya Gupta is Virsec’s visionary founder, with over 25 years of expertise in embedded systems, network security and systems architecture. Satya has helped build and guide the company through key growth phases from initial funding (2015), developing core technology with key partners including Raytheon and Lockheed (2016-2018), to launching an enterprise class, GA product (2019). Prior to this, Satya built a highly profitable software design and consulting business targeting data networking, application security and industrial automation projects. He was also Director of Firmware Engineering at Narad Networks and Managing Director and Chief Engineer at Eastern Telecom and Tech Ltd. Satya has more than 40 patents in complex firmware architecture with products deployed to hundreds of thousands of users. He holds a BS degree in Engineering from the Indian Institute of Technology in Kanpur and additional degrees from the University of Massachusetts at Lowell.