Apache Solr Deserialization of untrusted data via jmx.serviceUrl
Description
Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5 contain an insecure deserialization vulnerability in the ConfigAPI. Attackers can exploit this by setting a malicious jmx.serviceUrl parameter that points to an attacker-controlled RMI or LDAP server. When Solr attempts to bind to this server, the malicious server responds with a serialized Java object containing a 'gadget chain' payload. Solr then deserializes this untrusted data using Java's ObjectInputStream without proper validation, allowing arbitrary code execution. This vulnerability can be exploited using publicly available tools such as ysoserial.
Remediation
Apply one or more of the following mitigations to remediate this vulnerability:
- Upgrade Apache Solr: Update to Apache Solr version 7.0 or later, which addresses this vulnerability. This is the recommended long-term solution.
- Disable the ConfigAPI: If the ConfigAPI is not required for your deployment, disable it by starting Solr with the system property:
-Ddisable.configEdit=true
This prevents attackers from modifying the jmx.serviceUrl parameter. - Apply Security Patch: If upgrading is not immediately feasible, apply the official patch available at https://issues.apache.org/jira/browse/SOLR-13301 and recompile Solr from source.
- Network Segmentation: Implement network-level controls to restrict access to Solr instances. Use firewalls, security groups, or network ACLs to ensure only trusted sources can communicate with Solr endpoints. This serves as a defense-in-depth measure but should not be considered a complete fix.