A new vulnerability was recently identified in Apache Solr. We want to report this security vulnerability to you, describe how we responded to the incident and reiterate our commitment to constantly improving the security and integrity of our customers’ Solr deployments, data and service.
The new vulnerability has been identified in Solr – CVE-2020-13957. This vulnerability was initially reported on October 13, 2020, and was assessed as a Critical vulnerability on 23rd October with a CVSS score of 9.8.
This blog post describes the vulnerability, offers recommended mitigations for all users and provides specific mitigation steps for SearchStax customers.
Description of Solr Vulnerability — CVE-2020-13957
Certain Apache Solr are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).
Apache Solr versions affected:
- 6.6.0 to 6.6.6
- 7.0.0 to 7.7.3
- 8.0.0 to 8.6.2
Specifically, the Apache Solr versions referenced above prevent some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that’s uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.
Recommended Mitigation for CVE-2020-13957
Any of the following steps are sufficient to prevent this vulnerability:
- Disable UPLOAD command in ConfigSets API if not used by setting the system property: “configset.upload.enabled” to “false”
- Use Authentication/Authorization and make sure unknown requests aren’t allowed
- Tune your firewall so that only trusted computers and people are allowed access; no Solr APIs, including the Admin UI, is designed to be exposed to non-trusted parties
- Upgrade to Solr 8.6.3 or greater
- Apply the SOLR-14663 patch if upgrading is not an option at this time
SearchStax Response for CVE-2020-13957
- Review all of your Solr deployments – SearchStax customers should review all deployments (production and non-production) and ensure they are either protected by IP Filtering or are protected by Basic Authentication. You can access these settings from SearchStax Dashboard. Documentation for which is available here: https://www.searchstax.com/docs/security/
- Disable Config Upload API – If you are not using the config upload APIs, then we would like to disable these APIs by adding the configset.upload.enabled=false flag as recommended. (Note that these are NOT the Zookeeper APIs. Please see the ConfigSets API in the Solr Reference Guide for more details).
If you are a SearchStax customer, our team may have already contacted you or will contact you shortly to work with you to make sure your deployments are secure. If you have any other questions about the Solr Vulnerability, please contact SearchStax Support or submit a support ticket.
Next Steps for Solr Vulnerability CVE-2020-13957
We developed and implemented a software update to address this vulnerability so new deployments going forward will automatically be secure and will not be impacted by the vulnerability.