This site is deprecated. Please
CLICK HERE for latest updates
Short Name |
HTTP:APACHE:SOLR-DATIMPORT-RCE
|
Severity |
Critical
|
Recommended |
Yes
|
Recommended Action |
Drop
|
Category |
HTTP
|
Keywords |
Apache Solr DataImportHandler Remote Code Execution
|
Release Date |
2019/11/28
|
Update Number |
3228
|
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+
|
HTTP: Apache Solr DataImportHandler Remote Code Execution
This signature detects attempts to exploit a known vulnerability against Apache Solr. A successful attack can lead to arbitrary code execution.
Extended Description
In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.
Affected Products
- Apache solr 1.1.0
- Apache solr 1.2
- Apache solr 1.2.0
- Apache solr 1.3.0
- Apache solr 1.4.0
- Apache solr 1.4.1
- Apache solr 3.1
- Apache solr 3.1.0
- Apache solr 3.2
- Apache solr 3.2.0
- Apache solr 3.3
- Apache solr 3.3.0
- Apache solr 3.4.0
- Apache solr 3.5.0
- Apache solr 3.6.0
- Apache solr 3.6.1
- Apache solr 3.6.2
- Apache solr 4.0.0
- Apache solr 4.1.0
- Apache solr 4.10.0
- Apache solr 4.10.1
- Apache solr 4.10.2
- Apache solr 4.10.3
- Apache solr 4.10.4
- Apache solr 4.2.0
- Apache solr 4.2.1
- Apache solr 4.3.0
- Apache solr 4.3.1
- Apache solr 4.4.0
- Apache solr 4.5.0
- Apache solr 4.5.1
- Apache solr 4.6.0
- Apache solr 4.6.1
- Apache solr 4.7.0
- Apache solr 4.7.1
- Apache solr 4.7.2
- Apache solr 4.8.0
- Apache solr 4.8.1
- Apache solr 4.9.0
- Apache solr 4.9.1
- Apache solr 5.0
- Apache solr 5.0.0
- Apache solr 5.1
- Apache solr 5.1.0
- Apache solr 5.2.0
- Apache solr 5.2.1
- Apache solr 5.3
- Apache solr 5.3.0
- Apache solr 5.3.1
- Apache solr 5.3.2
- Apache solr 5.4.0
- Apache solr 5.4.1
- Apache solr 5.5.0
- Apache solr 5.5.1
- Apache solr 5.5.2
- Apache solr 5.5.3
- Apache solr 5.5.4
- Apache solr 5.5.5
- Apache solr 6.0.0
- Apache solr 6.0.1
- Apache solr 6.1.0
- Apache solr 6.2.0
- Apache solr 6.2.1
- Apache solr 6.3.0
- Apache solr 6.4.0
- Apache solr 6.4.1
- Apache solr 6.4.2
- Apache solr 6.5.0
- Apache solr 6.5.1
- Apache solr 6.6.0
- Apache solr 6.6.1
- Apache solr 6.6.2
- Apache solr 6.6.3
- Apache solr 6.6.4
- Apache solr 6.6.5
- Apache solr 6.6.6
- Apache solr 7.0.0
- Apache solr 7.0.1
- Apache solr 7.1.0
- Apache solr 7.2.0
- Apache solr 7.2.1
- Apache solr 7.3.0
- Apache solr 7.3.1
- Apache solr 7.4.0
- Apache solr 7.5.0
- Apache solr 7.6.0
- Apache solr 7.7.0
- Apache solr 7.7.1
- Apache solr 7.7.2
- Apache solr 8.0.0
- Apache solr 8.1.0
- Apache solr 8.1.1
References