CVE-2020-13957 Apache Solr RCE
Virsec Security Research Lab Vulnerability Analysis
The Virsec Security Research Lab provides detailed analysis on recent and notable security vulnerabilities.
1.1 Vulnerability Summary
Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.
Watch the video to learn more about this and other important vulnerabilities.
1.2 CVSS Score
The CVSS Base Score is 9.8 (Critical)
1.3 Affected Version
Apache Solr versions 6.6.0 to 6.6.6
Apache Solr versions 7.0.0 to 7.7.3
Apache Solr versions 8.0.0 to 8.6.2
The earliest vulnerable version was released on 06/06/2017. The exposure window is therefore over three years.
1.4 Vulnerability Attribution
This issue was reported publicly via the Apache Tomcat Users mailing list.
1.5 Risk Impact
Apache Solr is an open-source enterprise-search platform, written in Java, from the Apache Lucene project. Its major features include full-text search, hit highlighting, faceted search, real-time indexing, dynamic clustering, database integration, NoSQL features, and rich document handling.
A publicly disclosed exploit code is available here. Based on this link from 2010, Apache Solr has 31% share. Lot of companies use Apache Solr as part of their application stack for faster search, any such
vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS) and can cause loss of intellectual property data or could result in loss of million of dollars of business due to website being down.
1.6 Virsec Security Platform (VSP) Support
The Virsec Security Platform (VSP)-Host monitors processes that are spawned which are not part of a set of whitelisted process. Any attempt to execute new command or unknown binary would be denied by VSP-Host’s Process Monitoring capability.
VSP-Host FSM capability would also detect the attempt to place any malicious web shell on disk.
1.7 Reference Links
Download the full vulnerability report to learn more about this and other important vulnerabilities.