Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

Apache Solr 8.11, 8.20 have unauthenticated JMX server enabled in default config

Disclosure Date: September 11, 2019
CVE-2019-12409 CVSS v3 Base Score: 9.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr. If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.

Add Assessment

4
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This configuration issue could really affect any version, since it’s just someone having left the debug option on in the default config.
Metasploit has had a general scanner for this misconfiguration since 2012 in auxiliary/scanner/misc/java_rmi_server and 2011 in modules/exploits/multi/misc/java_rmi_server. Just noticed https://github.com/rapid7/metasploit-framework/pull/12565 which might be useful as well.

Shodan only shows maybe one host on the internet exposing this port in something that could plausibly look like JMX. The next great internet work this will not be: https://www.shodan.io/search?query=port%3A18983

I’m giving this a high attacker utility but also a low urgency to patch, because the patch is almost irrelevant here. If you’re using the default solr config, your solr install probably doesn’t work anyway! The patch isn’t really required to fix this configuration bug,, and you could be vulnerable with or without updating to a newer version. Even if you patch, if you have the a bad config, it’s not necessarily going to auto-update either. Any authenticated vuln scan is probably going to produce misleading results about whether you’re actually vulnerable or not, unless it checks your config file. Doing a remote scan is much better.

The mitigation is really just making sure you don’t deploy a config that leaves unauth RMI servers on a network, but nothing really stops you from shooting yourself in the foot either. Note that Solr’s own docs tell you how to enable this bit, but also it says to not use it in production. https://lucene.apache.org/solr/guide/7_0/using-jmx-with-solr.html

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
exploit
Utility Class
rce
Ports
18983
OS
Unknown
Vulnerable Versions
Solr 8.1.1 and 8.2.0 for Linux
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • apache

Products

  • solr 8.1.1,
  • solr 8.2.0

References

Canonical
CVE-2019-12409 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12409)
Advisory
[lucene-solr-user] 20191118 CVE-2019-12409: Apache Solr RCE vulnerability due to bad config default (https://lists.apache.org/thread.html/6640c7e370fce2b74e466a605a46244ccc40666ad9e3064a4e04a85d@%3Csolr-user.lucene.apache.org%3E)
[lucene-issues] 20191118 [jira] [Commented] (SOLR-13647) CVE-2019-12409: Apache Solr RCE vulnerability due to bad config default (https://lists.apache.org/thread.html/ce7c0b456b15f6c7518adefa54ec948fed6de8e951a2584500c1e541@%3Cissues.lucene.apache.org%3E)
[lucene-issues] 20191118 [jira] [Updated] (SOLR-13647) CVE-2019-12409: Apache Solr RCE vulnerability due to bad config default (https://lists.apache.org/thread.html/925cdb49ceae78baddb45da7beb9b4d2b1ddc4a8e318c65e91fb4e87@%3Cissues.lucene.apache.org%3E)
[lucene-general] 20191118 CVE-2019-12409: Apache Solr RCE vulnerability due to bad config default (https://lists.apache.org/thread.html/a044eae4f6f5b0160ece5bf9cc4c0dad90ce7dd9bb210a9dc50b54be@%3Cgeneral.lucene.apache.org%3E)
[announce] 20191118 [CVE-2019-12409] Apache Solr RCE vulnerability due to bad config default (https://lists.apache.org/thread.html/47e112035b4aa67ece3b75dbcd1b9c9212895b9dfe2a71f6f7c174e2@%3Cannounce.apache.org%3E)
https://support.f5.com/csp/article/K23720587?utm_source=f5support&utm_medium=RSS
Miscellaneous
https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-12409-RCE%20Vulnerability%20Due%20to%20Bad%20Defalut%20Config-Apache%20Solr

Additional Info

Authenticated
Never
Exploitable
Sometimes
Reliability
Very Strong
Stability
Very Strong
Available Mitigations
Very Strong
Shelf Life
Very Long
Userbase/Installbase
Medium
Patch Effectiveness
Low
Technical Analysis