Mailing List Archive

[CVE-2019-17558] Apache Solr RCE through VelocityResponseWriter
[CVE-2019-17558] Apache Solr RCE through VelocityResponseWriter

Severity: High

Vendor: The Apache Software Foundation

Versions Affected: 5.0.0 to 8.3.1

Description:
The affected versions are vulnerable to a Remote Code Execution through the
VelocityResponseWriter. A Velocity template can be provided through
Velocity templates in a configset `velocity/` directory or as a parameter.
A user defined configset could contain renderable, potentially malicious,
templates. Parameter provided templates are disabled by default, but can
be enabled by setting `params.resource.loader.enabled` by defining a
response writer with that setting set to `true`. Defining a response
writer requires configuration API access.

Solr 8.4 removed the params resource loader entirely, and only enables the
configset-provided template rendering when the configset is `trusted` (has
been uploaded by an authenticated user).

Mitigation: Ensure your network settings are configured so that only
trusted traffic
communicates with Solr, especially to the configuration APIs.

Credits: Github user `s00py`

References:
* https://cwiki.apache.org/confluence/display/solr/SolrSecurity
* https://issues.apache.org/jira/browse/SOLR-13971
* https://issues.apache.org/jira/browse/SOLR-14025