CVE-2019-17558
CVE-2019-17558
In short
Apache Solr allows attackers to run malicious code on servers through templates that can be provided in configuration files or as parameters. This happens because the software doesn't properly validate these templates before executing them.
Technical detail
CVE-2019-17558 is an Arbitrary Code Execution vulnerability in Apache Solr 5.0.0–8.3.1 via VelocityResponseWriter. The attack vector requires either uploading a malicious configset or enabling parameter-based templates through the Configuration API (params.resource.loader.enabled). The vulnerability stems from insufficient template validation in Velocity template rendering, allowing arbitrary code execution with the privileges of the Solr process.
Summary generated and translated by AI from the official description.
Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset `velocity/` directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting `params.resource.loader.enabled` by defining a response writer with that setting set to `true`. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is `trusted` (has been uploaded by an authenticated user).
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · Apache Solrpublic PoCs found — 8
githubgithub.com/zhzyker/exphub★ 4283githubgithub.com/Ma1Dong/Solr_CVE-2019-17558★ 2githubgithub.com/thelostworldFree/CVE-2019-17558_Solr_Vul_Tool★ 1githubgithub.com/rogerzeferino/Apache-Solr-RCE-CVE-2019-17558★ 0githubgithub.com/xkyrage/Exploit_CVE-2019-17558-RCE★ 0exploitdbwww.exploit-db.com/exploits/48338unverifiedexploitdbwww.exploit-db.com/exploits/47572unverifiedcve_referencepacketstormsecurity.com/files/157078/Apache-Solr-8.3.0-Velocity-Template-Remote-Code-Execution.htmlunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/157078/Apache-Solr-8.3.0-Velocity-Template-Remote-Code-Execution.htmlhttps://issues.apache.org/jira/browse/SOLR-13971https://lists.apache.org/thread.html/r0b7b9d4113e6ec1ae1d3d0898c645f758511107ea44f0f3a1210c5d5%40%3Cissues.lucene.apache.org%3Ehttps://lists.apache.org/thread.html/r12ab2cb15a34e49b4fecb5b2bdd7e10f3e8b7bf1f4f47fcde34d3a7c%40%3Cissues.lucene.apache.org%3Ehttps://lists.apache.org/thread.html/r19d23e8640236a3058b4d6c23e5cd663fde182255f5a9d63e0606a66%40%3Cdev.lucene.apache.org%3Ehttps://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3Ehttps://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3Ehttps://lists.apache.org/thread.html/r25f1bd4545617f5b86dde27b4c30fec73117af65598a30e20209739a%40%3Cissues.lucene.apache.org%3Ehttps://lists.apache.org/thread.html/r339865b276614661770c909be1dd7e862232e3ef0af98bfd85686b51%40%3Cdev.lucene.apache.org%3Ehttps://lists.apache.org/thread.html/r36e35fd76239a381643555966fb3e72139e018d52d76544fb42f96d8%40%3Cissues.lucene.apache.org%3Ehttps://lists.apache.org/thread.html/r5074d814d3a8c75df4b20e66bfd268ee0a73ddea7e85070cec3ae78d%40%3Cissues.lucene.apache.org%3Ehttps://lists.apache.org/thread.html/r58c58fe51c87bc30ee13bb8b4c83587f023edb349018705208e65b37%40%3Cissues.lucene.apache.org%3E