Apache Solr Unauthorized Upload Vulnerability (CVE-2020-13957)
Oct 14, 2020 GMT+08:00
Apache Solr has recently released an official security notice disclosing the unauthorized upload vulnerability (CVE-2020-13957) in the ConfigSet API of specific Solr versions. Attackers can exploit this vulnerability to conduct remote code execution.
If you are an Apache Solr user, check your versions and implement timely security hardening.
(Severity: low, moderate, important, and critical)
III. Affected Products
Apache Solr 6.6.0 to 6.6.5
Apache Solr 7.0.0 to 7.7.3
Apache Solr 8.0.0 to 8.6.2
Apache Solr 8.6.3 and later
IV. Vulnerability Handling
Affected users can take any of the following measures to prevent this vulnerability:
1. If the ConfigSets API is not used, disable the UPLOAD command by setting the system attribute configset.upload.enabled to false.
2. Use Authentication/Authorization and make sure unknown requests are not allowed.
3. Upgrade to Solr 8.6.3 or a later version.
4. If upgrading is not an option, consider applying the patch in SOLR-14663.
5. Tune your firewall so that only trusted IP addresses and people are allowed to access Solr API (including the Admin UI).
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.