Solr isn’t meant to be public facing. Not sure how anyone would send these commands since it can’t be reached from the outside world
> On Nov 12, 2020, at 7:12 AM, Sheikh, Wasim A. > <wasim.a.she...@accenture.com.invalid> wrote: > > Hi Team, > > Currently we are facing the below vulnerability for Apache Solr tool. So can > you please check the below details and help us to fix this issue. > > /etc/init.d/solr-master version > > Server version: Apache Tomcat/7.0.62 > Server built: May 7 2015 17:14:55 UTC > Server number: 7.0.62.0 > OS Name: Linux > OS Version: 2.6.32-431.29.2.el6.x86_64 > Architecture: amd64 > JVM Version: 1.8.0_20-b26 > JVM Vendor: Oracle Corporation > > > "solr-spec-version":"4.10.4", > Solr is an enterprise search platform.<P> > Solr is prone to remote code execution vulnerability. > <P> > Affected Versions:<BR> > Apache Solr version prior to 6.6.2 and prior to 7.1.0<P> > > QID Detection Logic (Unauthenticated):<BR> > This QID sends specifically crafted request which include special entities in > the xml document and looks for the vulnerable response.<BR> > Alternatively, in another check, this QID matches vulnerable versions in the > response webpage > Successful exploitation allows attacker to execute arbitrary code. > The vendor has issued updated packages to fix this vulnerability. <P>For more > information about the vulnerability and obtaining patches, refer to the > following Fedora security advisories :<BR><A > HREF="https://lucene.apache.org/solr/news.html"; TARGET="_blank">Apache Solr > 6.6.2</A> For more information regarding the update can be found at <A > HREF="https://lucene.apache.org/solr/news.html"; TARGET="_blank">Apache Solr > 7.1.0</A>. > > > > > > > > <P>Patch:<BR> > Following are links for downloading patches to fix the vulnerabilities: > <P> <A HREF="https://lucene.apache.org/solr/news.html"; TARGET="_blank">Apache > Solr 6.6.2</A><P> <A HREF="https://lucene.apache.org/solr/news.html"; > TARGET="_blank">Apache Solr 7.1.0</A> > > > Thanks... > Wasim Shaikh > > ________________________________ > > This message is for the designated recipient only and may contain privileged, > proprietary, or otherwise confidential information. If you have received it > in error, please notify the sender immediately and delete the original. Any > other use of the e-mail by you is prohibited. Where allowed by local law, > electronic communications with Accenture and its affiliates, including e-mail > and instant messaging (including content), may be scanned by our systems for > the purposes of information security and assessment of internal compliance > with Accenture policy. Your privacy is important to us. Accenture uses your > personal data only in compliance with data protection laws. For further > information on how Accenture processes your personal data, please see our > privacy statement at https://www.accenture.com/us-en/privacy-policy. > ______________________________________________________________________________________ > > www.accenture.com
