Title: CVE-2019-0192: Deserialization of untrusted data via jmx.serviceUrl in Apache Solr category: solr/security cve: CVE-2019-0192

Severity: High

Vendor:
The Apache Software Foundation

Versions Affected:

• 5.0.0 to 5.5.5
• 6.0.0 to 6.6.5

Description:
ConfigAPI allows to configure Solr‘s JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr’s unsafe deserialization to trigger remote code execution on the Solr side.

Mitigation:
Any of the following are enough to prevent this vulnerability:

• Upgrade to Apache Solr 7.0 or later.
• Disable the ConfigAPI if not in use, by running Solr with the system property “disable.configEdit=true”
• If upgrading or disabling the Config API are not viable options, apply patch in [1] and re-compile Solr.
• Ensure your network settings are configured so that only trusted traffic is allowed to ingress/egress your hosts running Solr.

Credit:
Michael Stepankin

References:

• https://issues.apache.org/jira/browse/SOLR-13301
• https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity