Measured Search recently learned of and resolved a security vulnerability with Apache Solr. We want to report this to you, describe how we responded to the incident, and reiterate our commitment to constantly improving the security and integrity of your deployments, data and our service.
On October 13, 2017, we became aware of an Apache Solr zero-day exploit (CVE-2017-12629). This security vulnerability was made public on Apache Solr’s mailing list and was considered a Zero-day Exploit. By combining vulnerabilities, an external attacker can achieve remote code execution without direct access to the Solr server.
Upon receiving notification, our engineering and support staff investigated the issue, replicated the vulnerability, and leveraged the information provided by the Apache Solr community in creating a detailed plan for mitigation.
On the evening of October 13, the team notified all customers of a maintenance window for mitigation of this exploit. During this maintenance window, the SearchStax team applied a fix as recommended by the Apache Solr community. This was sufficient to protect from this type of attack. During the October 13 maintenance window all SearchStax Gold and above deployments were patched.
By October 23, all Silver customer deployments were patched.
We appreciate the work of Michael Stepankin from JPMorgan Chase and Olga Barinova from Gotham Digital Science in discovering the vulnerability and the larger Solr community in disclosing and providing a patch for the vulnerability. We will continue to endeavor to improve our internal processes in order to provide our customers with a secure and trusted platform.
Moving forward we have also certified Apache Solr Version 6.6.2 on SearchStax which includes a security fix for the zero-day exploit (CVE-2017-12629). If you would like to upgrade your deployment to this version of Solr, please email us at email@example.com and we’d be happy to help.
The SearchStax Team