lucene-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erik Hatcher <>
Subject [CVE-2019-17558] Apache Solr RCE through VelocityResponseWriter
Date Mon, 30 Dec 2019 13:13:38 GMT
[CVE-2019-17558] Apache Solr RCE through VelocityResponseWriter

Severity: High

Vendor: The Apache Software Foundation

Versions Affected: 5.0.0 to 8.3.1

The affected versions are vulnerable to a Remote Code Execution through the
VelocityResponseWriter.  A Velocity template can be provided through
Velocity templates in a configset `velocity/` directory or as a parameter.
A user defined configset could contain renderable, potentially malicious,
templates.  Parameter provided templates are disabled by default, but can
be enabled by setting `params.resource.loader.enabled` by defining a
response writer with that setting set to `true`.  Defining a response
writer requires configuration API access.

Solr 8.4 removed the params resource loader entirely, and only enables the
configset-provided template rendering when the configset is `trusted` (has
been uploaded by an authenticated user).

Mitigation: Ensure your network settings are configured so that only
trusted traffic
communicates with Solr, especially to the configuration APIs.

Credits: Github user `s00py`


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message