External risk intelligence

Apache Solr Remote Code Execution Vulnerability

CVE advisoryKnown Exploit

CVE-2019-17558

A vulnerability in Apache Solr's VelocityResponseWriter could allow attackers to execute arbitrary code on affected systems. This impacts the confidentiality, integrity, and availability of data and systems by enabling unauthorized code execution. The business risk is elevated due to the potential for system compromise

4Halo Surface Signal

Remote Code Execution

Apache Solr

5.0.0 to before 7.7.38.0.0 to before 8.4.017.7 to 17.1216.116.218.819.12

External exposure likelihood

Halo Surface Signal score for CVE-2019-17558

Apache Solr is a widely deployed enterprise search platform often exposed as a network-facing service or API. While the specific vulnerability requires specific configuration or administrative access to exploit, the underlying software is frequently positioned as an externally reachable edge service or application backend in standard production environments.

Horizon Alert

Summary of the vulnerability and why it matters

The Apache Solr search platform is susceptible to a flaw within its VelocityResponseWriter. This vulnerability allows for remote code execution if specific conditions are met, potentially impacting the confidentiality, integrity, and availability of systems. The flaw arises from the ability to process Velocity templates, which could be user-defined or provided through configuration.

Vulnerable Apache Solr component
Allows remote code execution
Business risk to systems and data

Attack Path

How an attacker could exploit the issue

The identified vulnerability in Apache Solr allows for remote code execution through the VelocityResponseWriter. An attacker can leverage this by providing a malicious Velocity template, which, when rendered, can lead to unauthorized control over the affected system. This attack path requires specific configuration or administrative access to enable the template rendering functionality.

Exposure via network access.
Attacker provides a malicious template.
Attacker gains system control.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Apache Solr allows for remote code execution. It can be exploited by an attacker with limited access to the affected system. The potential impact includes unauthorized code execution, which could lead to a compromise of the system and sensitive data.

Likely attacker skill level: Moderate.
Required access or conditions: Some administrative configuration access.
Business risk or urgency: High.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An organization should prioritize identifying and securing its Apache Solr instances vulnerable to remote code execution. This vulnerability arises from the VelocityResponseWriter's handling of Velocity templates, which attackers could exploit to execute arbitrary code on affected systems. The risk is heightened for configurations where custom response writers are defined with specific settings that enable parameter-based template loading, or where un-trusted configsets are deployed.

Locate all exposed Solr assets.
Restrict network access to Solr.
Apply vendor updates and confirm fixes.
Monitor for suspicious activity.

Frequently asked questions

What is the Apache Solr VelocityResponseWriter vulnerability and how does it allow for remote code execution?

The Apache Solr VelocityResponseWriter vulnerability (CVE-2019-17558) allows for remote code execution by enabling the processing of Velocity templates. These templates can be provided through user-defined configsets or as parameters. If the parameter resource loader is enabled via configuration, attackers can inject malicious templates to execute arbitrary code on the affected Solr instance. This weakness is classified as CWE-74.

What versions of Apache Solr are affected by CVE-2019-17558 and what is the weakness class?

Apache Solr versions 5.0.0 through 8.3.1 are vulnerable to remote code execution via the VelocityResponseWriter. The weakness is identified as CWE-74, which relates to improper neutralization of special elements in output, leading to code injection.

How can an attacker exploit the Apache Solr VelocityResponseWriter vulnerability and what is the scope of impact?

An attacker can exploit this vulnerability by providing a malicious Velocity template. This can be achieved through configsets containing renderable templates or by enabling the `params.resource.loader.enabled` setting for response writers, which requires configuration API access. Once exploited, the attacker can execute arbitrary code, potentially leading to a full system compromise. The scope is typically limited to the Solr instance itself.

How does the Halo Surface Signal assess the risk of CVE-2019-17558, and what threat advisory context is relevant?

Halo assesses CVE-2019-17558 as 'Likely' risk due to Apache Solr's widespread use as a network-facing enterprise search platform. The vulnerability can be exploited remotely via the VelocityResponseWriter, posing a significant threat. The critical nature of Solr in many environments means this RCE flaw is a serious concern for businesses.

What are the recommended steps to mitigate the Apache Solr VelocityResponseWriter remote code execution vulnerability?

To mitigate this vulnerability, organizations should identify all exposed Solr instances and apply vendor-provided updates. It is also recommended to restrict network access to Solr and monitor for any suspicious activity. Solr versions 8.4 and later have addressed this issue by removing the params resource loader and only enabling trusted configset template rendering.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.