This is exactly why I asked what Solr version they were running, to see if they had the vulnerability. We still have no idea about Solr, OS, or JVM versions.
wunder Walter Underwood wun...@wunderwood.org http://observer.wunderwood.org/ (my blog) > On Aug 26, 2018, at 5:25 AM, Shawn Heisey <apa...@elyograg.org> wrote: > > On 8/25/2018 9:21 PM, Erick Erickson wrote: >> This is probably CVE-2017-12629, see SOLR-11482, SOLR-11477 for >> specific versions that have been patched and upgrade. You also need >> to, as Jan suggested, figure out a way to be absolutely sure that your >> installation is cleaned before you can be sure that you're protected. >> >> Also see: >> https://www.bleepingcomputer.com/news/security/coinminer-campaigns-target-redis-apache-solr-and-windows-servers/ > > Erick is awesome. We can usually count on Erick to research a problem and > find the likely culprit. This is a vulnerability in the way that Solr > handles XML parsing. Certain operations were allowed in the name of > flexibility. It was not realized at the time of implementation that it was > opening a security hole. > > Here's the Solr announcement about the related vulnerabilities and the > versions with a fix: > > http://mail-archives.us.apache.org/mod_mbox/www-announce/201710.mbox/%3CCAOOKt51UO_6Vy%3Dj8W%3Dx1pMbLW9VJfZyFWz7pAnXJC_OAdSZubA%40mail.gmail.com%3E > > In order to exploit that vulnerability, somebody must have network access to > a Solr install. Such access could be obtained by first breaking into another > piece of software, like a web server. > > The recommendation I mentioned about making sure only trusted parties can > reach Solr is in the documentation, and on the wiki: > > https://lucene.apache.org/solr/guide/7_4/securing-solr.html > https://wiki.apache.org/solr/SolrSecurity#Need_for_firewall > > That second link covers some other possible attack vectors. > > Thanks, > Shawn >
