Father
Professional
- Messages
- 2,602
- Reaction score
- 852
- Points
- 113
An error in the code of the Apache Solr search engine that opened access to port 8983 turned out to be more dangerous than previously thought. Over the past month, two PoC exploits have appeared on the Internet that allow not only reading system monitoring data, but also remotely executing malicious code on the target server. The developers recommend that users disable the vulnerable function in the program settings as soon as possible.
The problem, which became known in August, lies in the ENABLE_REMOTE_JMX_OPTS service, designed to monitor Java Management Extensions, an embedded technology for controlling devices, applications and system objects. As information security specialists found out in the summer of 2019, this function, with default settings, allows unauthorized access to TCP / UDP port 8983, which Apache Solr uses to transfer data.
Initially, the developers believed that the bug does not lead to the compromise of the program, since it only gives access to information that is useless for cybercriminals. However, they had to reconsider their position after publishing two PoCs demonstrating running third-party code using this flaw.
Cybercriminals got a tool to attack Apache Solr
The first exploit appeared on GitHub on October 30 this year and demonstrated remote activation of the Apache Velocity templating engine, which ultimately gave an attacker the ability to run their script on the Solr server. The second PoC, developed by a Hong Kong-based programmer, develops an original concept, making it easier to carry out an attack. The sources of the malicious script were posted on the Internet on November 13, 2019.
The monitoring system ENABLE_REMOTE_JMX_OPTS is enabled by default in the solr.in.sh configuration file, so thousands of web resources using the search engine are at risk of hacking. After the emergence of PoC exploits, the vulnerability was assigned the identifier CVE-2019-12409, and the Apache Solr developers issued the corresponding security bulletin. The creators of the system recommend disabling the problematic function, as well as using a firewall to protect port 8983.
Previously, RCE bugs in Apache Solr were already exploited by attackers who installed miners on vulnerable servers. Information security specialists warn that after the publication of exploits, a wave of attacks on resources using this search engine can be expected.
The problem, which became known in August, lies in the ENABLE_REMOTE_JMX_OPTS service, designed to monitor Java Management Extensions, an embedded technology for controlling devices, applications and system objects. As information security specialists found out in the summer of 2019, this function, with default settings, allows unauthorized access to TCP / UDP port 8983, which Apache Solr uses to transfer data.
Initially, the developers believed that the bug does not lead to the compromise of the program, since it only gives access to information that is useless for cybercriminals. However, they had to reconsider their position after publishing two PoCs demonstrating running third-party code using this flaw.
Cybercriminals got a tool to attack Apache Solr
The first exploit appeared on GitHub on October 30 this year and demonstrated remote activation of the Apache Velocity templating engine, which ultimately gave an attacker the ability to run their script on the Solr server. The second PoC, developed by a Hong Kong-based programmer, develops an original concept, making it easier to carry out an attack. The sources of the malicious script were posted on the Internet on November 13, 2019.
The monitoring system ENABLE_REMOTE_JMX_OPTS is enabled by default in the solr.in.sh configuration file, so thousands of web resources using the search engine are at risk of hacking. After the emergence of PoC exploits, the vulnerability was assigned the identifier CVE-2019-12409, and the Apache Solr developers issued the corresponding security bulletin. The creators of the system recommend disabling the problematic function, as well as using a firewall to protect port 8983.
Previously, RCE bugs in Apache Solr were already exploited by attackers who installed miners on vulnerable servers. Information security specialists warn that after the publication of exploits, a wave of attacks on resources using this search engine can be expected.
