Service Notices
Apache Solr Unauthorized Upload Vulnerability (CVE-2020-13957)
Oct 14, 2020 GMT+08:00
I. Overview
Apache Solr has recently released an official security notice disclosing the unauthorized upload vulnerability (CVE-2020-13957) in the ConfigSet API of specific Solr versions. Attackers can exploit this vulnerability to conduct remote code execution.
If you are an Apache Solr user, check your versions and implement timely security hardening.
References:
https://www.mail-archive.com/announce@apache.org/msg06149.html
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. Affected Products
Affected versions:
Apache Solr 6.6.0 to 6.6.5
Apache Solr 7.0.0 to 7.7.3
Apache Solr 8.0.0 to 8.6.2
Secure versions:
Apache Solr 8.6.3 and later
IV. Vulnerability Handling
Affected users can take any of the following measures to prevent this vulnerability:
1. If the ConfigSets API is not used, disable the UPLOAD command by setting the system attribute configset.upload.enabled to false.
Reference: https://lucene.apache.org/solr/guide/8_6/configsets-api.html
2. Use Authentication/Authorization and make sure unknown requests are not allowed.
Reference: https://lucene.apache.org/solr/guide/8_6/authentication-and-authorization-plugins.html
3. Upgrade to Solr 8.6.3 or a later version.
4. If upgrading is not an option, consider applying the patch in SOLR-14663.
Reference: https://issues.apache.org/jira/browse/SOLR-14663
5. Tune your firewall so that only trusted IP addresses and people are allowed to access Solr API (including the Admin UI).
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.