From general-return-5200-archive-asf-public=cust-asf.ponee.io@lucene.apache.org Mon Nov 18 13:07:22 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 46081180657 for ; Mon, 18 Nov 2019 14:07:22 +0100 (CET) Received: (qmail 52863 invoked by uid 500); 18 Nov 2019 13:07:20 -0000 Mailing-List: contact general-help@lucene.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: general@lucene.apache.org Delivered-To: mailing list general@lucene.apache.org Received: (qmail 52848 invoked by uid 99); 18 Nov 2019 13:07:19 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 18 Nov 2019 13:07:19 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 680A9180F49 for ; Mon, 18 Nov 2019 13:07:19 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.003 X-Spam-Level: X-Spam-Status: No, score=0.003 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=cominvent-com.20150623.gappssmtp.com Received: from mx1-he-de.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id KMR4xu6-W3Ha for ; Mon, 18 Nov 2019 13:07:17 +0000 (UTC) Received-SPF: None (mailfrom) identity=mailfrom; client-ip=2a00:1450:4864:20::22e; helo=mail-lj1-x22e.google.com; envelope-from=jan.asf@cominvent.com; receiver= Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) by mx1-he-de.apache.org (ASF Mail Server at mx1-he-de.apache.org) with ESMTPS id 75D227DC1D for ; Mon, 18 Nov 2019 13:07:16 +0000 (UTC) Received: by mail-lj1-x22e.google.com with SMTP id g3so18818718ljl.11 for ; Mon, 18 Nov 2019 05:07:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cominvent-com.20150623.gappssmtp.com; s=20150623; h=from:content-transfer-encoding:mime-version:subject:message-id:date :to; bh=kU7S0/IFAHdk4OsuFMphckjG6vQT+rtaordxqMjCly8=; b=eZNz7Az3d4PvI3BblYOugHcA0p84h7/glFCdNJW+VS+TWZNEImc9QW8e1eAgKNzslK d0tSKSHzLfcoq6wfpPKL+Yv7zr5dbrQag9b4gE5z8LfLI15QJfn0uduvJHD/l9K5r0fs lrWIdwQwe+queSD9/uB6c5Kov+Tun1vWLM07t2LirBRVSGvi8D307630cl+o4cmnEuxm UgFCZdZYFpmlhfiS0aEHdhH2N1WEXElV0owkVzgT++NcJG+Gsi9OC5zMInyfTBxcyMFu vw1F9WIVP1zmGHymx/yLoGJHJ7JgryKOtzzPvTISCjhcS8Gvf7eVeM7DZB9B4/N5hN8m 4rPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:message-id:date:to; bh=kU7S0/IFAHdk4OsuFMphckjG6vQT+rtaordxqMjCly8=; b=TL+okJ1vCIWaGoPeNUSD4zCyMEyQyMzVI8kq8r7zqVbFgc7a5944GhgC84QetoDf/0 UUVYqyL1MTeWUJ81+jjdMkEa9OJL41BHSDpF0hD9zSFSTm9JSrA9/cz/llR73w6p4x66 NDb8RRguD9Imxp0ibIeG72pWlVFT8KtBPbfI0yj07t0di4zo0W12bbjn/znZxGPt5Wnr 73P9lmN6Wuunpfkli8jZdgM/z28QC3U5xYYT/ykWNT5VQ5dEw5NN3vpsfiVRVofjokf6 kIcDG+O6UafcL4C05L39jNMvTqJYxIOeIic9+vhpEt0Rj462h3TSzBn00FzP6wK5BFfo enLw== X-Gm-Message-State: APjAAAVoLpWjMzEQZwTj2wfxVTRdJWHuCRHCDfY/2x9KWdp8DCOWRP7N Fti7KyEisDomHmIQZrimh39A6V4yOnM= X-Google-Smtp-Source: APXvYqxFQyEMF1jDn3S1HVyq8jm91Z8gFd4jfPNeoXhIeXYF7f9TSgxvleFgLDvfXm9g0jxIN9mt5A== X-Received: by 2002:a05:651c:305:: with SMTP id a5mr21701177ljp.144.1574082435363; Mon, 18 Nov 2019 05:07:15 -0800 (PST) Received: from [192.168.127.248] (195-159-250-196.customer.powertech.no. [195.159.250.196]) by smtp.gmail.com with ESMTPSA id o26sm8664666lfi.57.2019.11.18.05.07.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 18 Nov 2019 05:07:14 -0800 (PST) From: =?utf-8?Q?Jan_H=C3=B8ydahl?= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3601.0.10\)) Subject: CVE-2019-12409: Apache Solr RCE vulnerability due to bad config default Message-Id: <93CFC83C-E163-4AE8-BD73-E746140A6A0F@cominvent.com> Date: Mon, 18 Nov 2019 14:07:13 +0100 To: general@lucene.apache.org, solr-user X-Mailer: Apple Mail (2.3601.0.10) CVE-2019-12409: Apache Solr RCE vulnerability due to bad config default Severity: High Vendor: The Apache Software Foundation Versions Affected: Solr 8.1.1 and 8.2.0 for Linux Description: The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr. Windows users are not affected. If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=3D18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server. The vulnerability is already public [1] and mitigation steps were announced on project mailing lists and news page [3] on August 14th, without mentioning RCE at that time. Mitigation: Make sure your effective solr.in.sh file has ENABLE_REMOTE_JMX_OPTS set to 'false' on every Solr node and then restart Solr. Note that the effective solr.in.sh file may reside in /etc/defaults/ or another location depending on the install. You can then validate that the 'com.sun.management.jmxremote*' family of properties are not listed in the "Java Properties" section of the Solr Admin UI, or configured in a secure way. There is no need to upgrade or update any code. Remember to follow the Solr Documentation's advice to never expose Solr nodes directly in a hostile network environment. Credit: Matei "Mal" Badanoiu Solr JIRA user 'jnyryan' (John) References: [1] https://issues.apache.org/jira/browse/SOLR-13647 [3] https://lucene.apache.org/solr/news.html -- Jan H=C3=B8ydahl, Lucene PMC member