Apache Solr Config API Velocity Template RCE (Direct Check)

high Nessus Plugin ID 131734

Synopsis

The remote web server contains a Java application that is affected by a remote code execution vulnerability.

Description

The version of Apache Solr running on the remote web server is affected by a remote code execution vulnerability. An unauthenticated, remote attacker can exploit this issue, by sending a specially crafted HTTP POST request to the Config API to toggle the params resource loader value for the Velocity Response Writer in the solrconfig.xml file to true.
Enabling this parameter allows to use the velocity template parameter in a specially crafted Solr request to execute arbitrary code.

Solution

No updates are available

See Also

http://www.nessus.org/u?b63da8fd

http://www.nessus.org/u?8816a07f

https://issues.apache.org/jira/browse/SOLR-13971

Plugin Details

Severity: High

ID: 131734

File Name: apache_solr_2019-1120_unauth_rce.nbin

Version: 1.83

Type: remote

Family: CGI abuses

Published: 12/6/2019

Updated: 11/22/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.8

Vector: CVSS2#AV:N/AC:H/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2019-17558

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 7

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:solr

Required KB Items: installed_sw/Apache Solr

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Vulnerability Publication Date: 10/30/2019

CISA Known Exploited Vulnerability Due Dates: 5/3/2022

Exploitable With

Metasploit (Apache Solr Remote Code Execution via Velocity Template)

Reference Information

CVE: CVE-2019-17558