Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0757 Apache Solr RCE through VelocityResponseWriter 2 March 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apache Solr Publisher: The Apache Software Foundation Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Resolution: Mitigation CVE Names: CVE-2019-17558 Original Bulletin: https://lucene.apache.org/solr/security.html - --------------------------BEGIN INCLUDED TEXT-------------------- 2019-12-30, CVE-2019-17558: Apache Solr RCE through VelocityResponseWriter Severity: High Vendor: The Apache Software Foundation Versions Affected: 5.0.0 to 8.3.1 Description: The affected versions are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset velocity/ directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting params.resource.loader.enabled by defining a response writer with that setting set to true. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is trusted (has been uploaded by an authenticated user). Mitigation: Ensure your network settings are configured so that only trusted traffic communicates with Solr, especially to the configuration APIs. Credit: Github user s00py References: o https://issues.apache.org/jira/browse/SOLR-13971 o https://issues.apache.org/jira/browse/SOLR-14025 o https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXlyY7maOgq3Tt24GAQjCGBAA0f837CCVQ5KVES2WrB/hwoVHa8xln37n hxobhigomLfLRdeEv6vKaW4h84xLI2KX1fz+bRQceC9y4b4sbhZqPol3T5VvC2Iq J0ZIsRJyggnpQ8w+iS8A+j0Se2GiTCEmLum2GlC7Tr2hfT4Ss7AbJjCHZ5T1Gzv1 eq0d1OPM3xZIf0kiuAiZsKVoBkDe1/Vlbv29P+s5xv8qyVxGCtcIZGEIKTEwZk08 EGh1GhCvGTM5gnnuCIjk8KKVOEb4jkB6K8IxVRM/Cl+72Qcpd3P2dN6LxK+3wR6w 6MPRV9X5N2AOkYJvl4m8RvghCkY5vbzXlskcfpE5B3rzupJqQEI4Rnorq7abSNrR TYJcEF6ARCW6o7UwFIoVi8UZBfQhV90uGLgrqE1dOQeCAClqmpR1FD14jLWm+Tv1 jO0v+HU+o2Xr6z+NDmFOt6im22eO6U/MkN7ahC8ajk6xnfJbHRbYT4rnoP/9y9o6 OzquGuQC3CSwyBU3GIQ0mBOGz5p2HxlIWZprE+wdE00jBKD8lsDk+12q98A6ZRSZ JyqFK56WquQm6ZGM1iCo5HNqQyUiFgKFR8q0GzO2YSnUa8Z+4e6X2smePFeZSC8M T6GhcOxJFSQEZiBLHee6HjLfBLnr2WeLoMimFzQOFMqgXlP3IRcyjfvJeJJ4b3vX SC4UNHc/GOU= =D2Ei -----END PGP SIGNATURE-----