You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@solr.apache.org by Anchal Sharma2 <an...@in.ibm.com> on 2021/06/18 10:54:28 UTC
CVE-2021-27905 Apache Solr ReplicationHandler/SSRF vulnerability
Hi All,
We are currently using Solr Cloud(solr version 8.6.3) in our application .Since it doesn't use master-slave solr approach we do not have replication handler set up (to replicate master to slave)set up on any of our solr nodes.
Could some one please confirm ,if following vulnerability is still applicable for us?
CVE-2021-27905 Apache Solr ReplicationHandler/SSRF vulnerability
Description: A critical vulnerability was found in Apache Solr up to 8.8.1 (CVSS 9.8). Affected by this vulnerability is an unknown code block of the file /replication; the manipulation of the argument masterUrl/leaderUrl with an unknown input can lead to a privilege escalation vulnerability. *Note: There are now POCs targeting CVE-2021-27905 (Apache Solr <= 8.8.1 SSRF), CVE-2017-12629 (Remote Code Execution via SSRF), and CVE-2019-0193 (DataImportHandler). There are also Metasploit modules for the Apache Solr Velocity RCE, and two Apache OFBiz vulnerabilities. Given the number of vulnerabilities, severity, and availability of POCs, it is highly recommended that any vulnerable systems be patched as soon as possible.
Thanks
Anchal Sharma
Re: CVE-2021-27905 Apache Solr ReplicationHandler/SSRF vulnerability
Posted by Rahul Goswami <ra...@gmail.com>.
Digging out this old thread since I am looking for an answer to the same
question.
To Matthew's response above, since the /replication is an implicit handler,
even if removed from solrconfig.xml, it would still work.
I looked around (aka Googled) to find a way in which someone exploited this
vulnerability, but couldn't find it. That would help us get an idea about
patching it. If anyone knows more about this CVE or can point me to JIRA
for the same, that would be great.
Thanks,
Rahul
On Fri, Jun 18, 2021 at 9:47 AM matthew sporleder <ms...@gmail.com>
wrote:
> I believe these are all related to exposed api/admin endpoints so your
> network is probably protecting you but poor input sanitation could
> expose you, of course- like
> /myappsearch?search=../../replication?evilpayload (classic sql-style
> injection style)
>
> If you have, literally, removed the handlers for those url endpoints
> from your config I think you are pretty safe.
>
> On Fri, Jun 18, 2021 at 6:54 AM Anchal Sharma2 <an...@in.ibm.com>
> wrote:
> >
> > Hi All,
> >
> > We are currently using Solr Cloud(solr version 8.6.3) in our application
> .Since it doesn't use master-slave solr approach we do not have replication
> handler set up (to replicate master to slave)set up on any of our solr
> nodes.
> > Could some one please confirm ,if following vulnerability is still
> applicable for us?
> >
> > CVE-2021-27905 Apache Solr ReplicationHandler/SSRF vulnerability
> > Description: A critical vulnerability was found in Apache Solr up to
> 8.8.1 (CVSS 9.8). Affected by this vulnerability is an unknown code block
> of the file /replication; the manipulation of the argument
> masterUrl/leaderUrl with an unknown input can lead to a privilege
> escalation vulnerability. *Note: There are now POCs targeting
> CVE-2021-27905 (Apache Solr <= 8.8.1 SSRF), CVE-2017-12629 (Remote Code
> Execution via SSRF), and CVE-2019-0193 (DataImportHandler). There are also
> Metasploit modules for the Apache Solr Velocity RCE, and two Apache OFBiz
> vulnerabilities. Given the number of vulnerabilities, severity, and
> availability of POCs, it is highly recommended that any vulnerable systems
> be patched as soon as possible.
> >
> > Thanks
> > Anchal Sharma
>
Re: CVE-2021-27905 Apache Solr ReplicationHandler/SSRF vulnerability
Posted by matthew sporleder <ms...@gmail.com>.
I believe these are all related to exposed api/admin endpoints so your
network is probably protecting you but poor input sanitation could
expose you, of course- like
/myappsearch?search=../../replication?evilpayload (classic sql-style
injection style)
If you have, literally, removed the handlers for those url endpoints
from your config I think you are pretty safe.
On Fri, Jun 18, 2021 at 6:54 AM Anchal Sharma2 <an...@in.ibm.com> wrote:
>
> Hi All,
>
> We are currently using Solr Cloud(solr version 8.6.3) in our application .Since it doesn't use master-slave solr approach we do not have replication handler set up (to replicate master to slave)set up on any of our solr nodes.
> Could some one please confirm ,if following vulnerability is still applicable for us?
>
> CVE-2021-27905 Apache Solr ReplicationHandler/SSRF vulnerability
> Description: A critical vulnerability was found in Apache Solr up to 8.8.1 (CVSS 9.8). Affected by this vulnerability is an unknown code block of the file /replication; the manipulation of the argument masterUrl/leaderUrl with an unknown input can lead to a privilege escalation vulnerability. *Note: There are now POCs targeting CVE-2021-27905 (Apache Solr <= 8.8.1 SSRF), CVE-2017-12629 (Remote Code Execution via SSRF), and CVE-2019-0193 (DataImportHandler). There are also Metasploit modules for the Apache Solr Velocity RCE, and two Apache OFBiz vulnerabilities. Given the number of vulnerabilities, severity, and availability of POCs, it is highly recommended that any vulnerable systems be patched as soon as possible.
>
> Thanks
> Anchal Sharma