Solr vulnerabilities update blog

October 17, 2024

Dipsy Kapoor

|

2 min. read

Two new Solr vulnerabilities have been recently identified. We want to share the information available and the recommended mitigation measures as part of our commitment to improving the security for our customer’s Solr deployments and services.

These vulnerabilities were originally reported on October 14, 2024 and are being tracked as CVE-2024-45217 with a CVSS score of 8.1 (High) and CVE-2024-45216 with a CVSS score of 9.8 (Critical).

CVE-2024-45217

Description of Solr Vulnerability

Insecure Default Initialization of Resource vulnerability in Apache Solr.

New ConfigSets that are created via a Restore command, which copy a configSet from the backup and give it a new name, are created without setting the “trusted” metadata. ConfigSets that do not contain the flag are trusted implicitly if the metadata is missing, therefore this leads to “trusted” ConfigSets that may not have been created with an Authenticated request. “trusted” ConfigSets are able to load custom code into classloaders, therefore the flag is supposed to only be set when the request that uploads the ConfigSet is Authenticated & Authorized.

 

Affected Deployments

Deployments using Solr 6.6.0 through 8.11.3 or Solr 9.0.0 through 9.6.0.

 

Recommended Mitigations

It is recommended to take one of the following actions if your deployments are using an affected Solr version:

 

  • Upgrade your Solr deployments to the latest supported versions, Solr 8.11.4 or Solr 9.7.0.

CVE-2024-45216

Description of Solr Vulnerability

Improper Authentication vulnerability in Apache Solr. Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass. A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the original URL Path

 

Affected Deployments

Deployments on Solr 5.3.0 through 8.11.3 or Solr 9.0.0 through 9.6.0 using the PKI Authentication Plugin. This plugin is used by SearchStax for Basic Authentication. Inter-node communication might be handled by PKI Authentication Plugin as explained here, however since individual nodes are not accessible with SearchStax, SearchStax deployments are not vulnerable.

 

Recommended Mitigations

SearchStax deployments are unaffected due to the inaccessibility of individual nodes via authentication. If you’d like to further increase security in general, you are encouraged to take either of the following actions:

  • Include IP Filtering as a security feature for your deployments

 

  • Upgrade your Solr deployments to the latest supported versions, Solr 8.11.4 or Solr 9.7.0.

By Dipsy Kapoor

VP, Engineering

You might also like: