CVE-2019-12409:Default Configuration in Apache Solr Could Lead to Remote Code Execution
Linux servers using Apache Solr versions 8.1.1 and 8.2.0 with default configurations are potentially vulnerable to remote code execution.
背景說明
On July 22, 2019, a configuration flaw in versions 8.1.1 and 8.2.0 was found in Apache Solr, the open-source search-engine platform. John Ryan originally reported the issue and credit was also given to Matei “Mal” Badanoiu for noting the flaw could lead to remote code execution (RCE).
分析
CVE-2019-12409 is a flaw in the default configuration of the solr.in.sh file in Apache Solr. If this file is used in its default configuration in versions 8.1.1 and 8.2.0, unauthenticated access to the Java Management Extensions (JMX) monitoring on the RMI_PORT (default 18983) is allowed. Anyone with access to a vulnerable Solr server, and, in turn, JMX, could upload malicious code that could then be executed.
概念驗證
There is currently a proof of concept (PoC) available in a GitHub repository implementing the MJET script by MOGWAI LABS to create a reverse shell on a system with the vulnerable configuration.
CVE-2019-12409 Apache Solr RCE pic.twitter.com/NFClK5M5od
— Jas502n (@jas502n) November 19, 2019
解決方法
On November 18, Apache Solr revised the originally reported bug report after it was found that the flaw could lead to RCE. In addition, the Changelog highlighted this flaw as one of the fixes in Apache Solr version 8.3.
Per the security advisory, this vulnerability can also be remediated by setting the ENABLE_REMOTE_JMX_OPTS parameter to ’false’ in the solr.in.sh file. The change can be confirmed by ensuring the com.sun.management.jmxremote* properties are not listed in the Solr Admin interface under the Java Properties section.
找出受影響的系統
A list of Tenable plugins to identify this vulnerability will appear here as they’re released.
取得更多資訊
- Solr Security Advisory
- Attacking RMI Based JMX Services
- Solr Bug Tracker for CVE-2019-12409
- GitHub Repository with PoC for CVE-2019-12409
加入 Tenable Community 的 Tenable 安全回應團隊。
深入瞭解 Tenable,這是用於全面管理新型攻擊破綻的首創 Cyber Exposure 平台。
Get a free 60-day trial of Tenable.io Vulnerability Management.
相關文章
- Vulnerability Management