A remote code execution vulnerability exists in Apache Solr. The vulnerability exists because of a deserialization flaw that allows a remote attacker to set the configuration of a JMX server. The configuration endpoint does not make checks for authorization.
- The attacker sends an unauthorized request to Solr instance that attempts to configure a JMX connection.
- The victim server accepts the configuration request and attempts to communicate with the JRMP payload server.
- The malicious server that is controlled by the attacker includes a serialized payload that will be deserialized on the server and execute the payload.
A Solr instance must have its remote configuration option set.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Upgrade to a non-vulnerable version to mitigate this vulnerability. Additionally, ensure that an updated version of Java is used (Java >7u25).