Dear Erik,
Thank you for your fast reply.
Best Regards,
Huawei PSIRT
-----邮件原件-----
发件人: Erik Hatcher [mailto:erik.hatc...@gmail.com]
发送时间: 2019年11月1日 21:50
收件人: solr-user@lucene.apache.org
抄送: Huawei PSIRT <ps...@huawei.com>; Renling <renl...@huawei.com>
主题: Re: Security Vulnerability Consultation
Hi -
There are many "vulnerabilities" that can be enabled when one has
administrative access to Solr, with this being one example. The setting
mentioned defaults to false, and requires admin access to enable.
The warning from the Solr Reference Guide is worth repeating here:
>> No Solr API, including the Admin UI, is designed to be exposed to
non-trusted parties.
Turning on authentication is the first step I'd recommend.
Erik
> On Oct 31, 2019, at 11:45 PM, Huawei PSIRT <ps...@huawei.com> wrote:
>
> Dear,
>
>
>
> This is Huawei PSIRT. We have learned that a security researcher
> <https://gist.github.com/s00py/a1ba36a3689fa13759ff910e179fc133>
> released an Apache Solr RCE suspected vulnerability on October 31, 2019.
>
> The links are as follow:
> https://meterpreter.org/unpatch-apache-solr-remote-command-execution-v
> ulnera
> bility-alert/
>
> https://gist.github.com/s00py/a1ba36a3689fa13759ff910e179fc133
>
>
>
> We want to confirm if the issue exists. If it exists, when will
> the patches be released ?
>
> Looking forward to your reply. Thank you.
>
>
>
> Best Regards,
>
> Huawei PSIRT
>
