A vulnerability exists in a popular module of Apache Solr that allows remote code execution. The vulnerability exists because of the module DataImportHandler, which is used to import data into the Solr instance. The configuration can be set with an unauthenticated request to the application that includes a script in the dataConfig parameter that will be executed if the ‘full- import’ command is set.
- The attacker sends a special request after enumeration in order to cause configuration changes that are executed on the server.
- The server responds with a 200 and lets the attacker know that the request was made to ‘DataSource’, signifying that it was most likely executed/processed.
A Solr instance must be running the module DataImportHandler active. Additionally, running a Solr instance with the following command: ./solr/bin/solr start -s /opt/solr/example/example-DIH/solr will properly configure a DIH example, including adding the request handler in the config file.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
The Solr project has added an update that clearly responds back with a 403 forbidden and a security risk message when this is attempted on a non-vulnerable system >= Solr 8.2. Ensure that Solr instance is updated.