On 8/25/2018 9:21 PM, Erick Erickson wrote:
This is probably CVE-2017-12629, see SOLR-11482, SOLR-11477 for
specific versions that have been patched and upgrade. You also need
to, as Jan suggested, figure out a way to be absolutely sure that your
installation is cleaned before you can be sure that you're protected.
Also see:
https://www.bleepingcomputer.com/news/security/coinminer-campaigns-target-redis-apache-solr-and-windows-servers/
Erick is awesome. We can usually count on Erick to research a problem
and find the likely culprit. This is a vulnerability in the way that
Solr handles XML parsing. Certain operations were allowed in the name
of flexibility. It was not realized at the time of implementation that
it was opening a security hole.
Here's the Solr announcement about the related vulnerabilities and the
versions with a fix:
http://mail-archives.us.apache.org/mod_mbox/www-announce/201710.mbox/%3CCAOOKt51UO_6Vy%3Dj8W%3Dx1pMbLW9VJfZyFWz7pAnXJC_OAdSZubA%40mail.gmail.com%3E
In order to exploit that vulnerability, somebody must have network
access to a Solr install. Such access could be obtained by first
breaking into another piece of software, like a web server.
The recommendation I mentioned about making sure only trusted parties
can reach Solr is in the documentation, and on the wiki:
https://lucene.apache.org/solr/guide/7_4/securing-solr.html
https://wiki.apache.org/solr/SolrSecurity#Need_for_firewall
That second link covers some other possible attack vectors.
Thanks,
Shawn
