Overview
Apache Lucene is a high-performance, full-text search library written in Java that provides powerful indexing and search capabilities. It is widely used for building search engines and applications that require efficient text retrieval, offering features like ranked searching, phrase queries, and filtering. Lucene enables developers to create scalable and customizable search solutions by indexing structured and unstructured data. It serves as the core search technology for popular search platforms like Elasticsearch and Apache Solr, making it a foundational tool for modern search applications.
A Remote Code Execution (RCE) vulnerability (CVE-2024-45772) has been identified in the Apache Lucene Replicator. This vulnerability allows attackers to deserialize untrusted data.
Per the Open Web Application Security Project (OWASP): "Code Injection occurs when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization."
This issue affects multiple versions below 9.12.0
Details
Module Info
- Product: Apache Lucene
- Affected packages: lucene-replicator
- Affected versions: >=4.4.0 <9.12.0
- GitHub repository: https://github.com/apache/lucene
- Published packages: https://central.sonatype.com/artifact/org.apache.lucene/lucene-replicator
- Package manager: Maven
- Fixed in: NES for Lucene v8.11.5
Vulnerability Info
The Apache Lucene Replicator module has a Deserialization of Untrusted Data vulnerability affecting versions 4.4.0 through 9.11.x. Specifically, the deprecated org.apache.lucene.replicator.http package is vulnerable, while the org.apache.lucene.replicator.nrt package remains unaffected.
To resolve this issue, users should upgrade to version 9.12.0, which includes a fix. The vulnerability can only be exploited if users deploy a network-accessible implementation along with a client that utilizes an HTTP library to interact with the affected API (e.g., a custom servlet and HTTPClient).
Credit
- streichsbaer
Mitigation
Apache Lucene versions below or equal to 8.11.4 are no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.
Users of the affected components should apply one of the following mitigations:
- Upgrade Apache Lucene to 9.12.0 or add -Djdk.serialFilter='!*' option to JVM.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.