Overview
Apache Solr is an open-source search platform built on Apache Lucene, designed for scalable, high-performance search and indexing. It supports full-text search, faceted search, real-time indexing, distributed searching, and high availability. Solr is widely used in applications requiring fast and efficient search capabilities, such as e-commerce, enterprise search, and log analytics.
A Path Traversal vulnerability (CVE-2024-52012) has been identified in the FileSystemConfigSetService. This vulnerability allows attackers to write data to unanticipated parts of the filesystem.
Per the Open Web Application Security Project (OWASP): "A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder by manipulating variables that reference files with 'dot-dot-slash (../)' sequences or absolute file paths, potentially exposing sensitive data such as application source code, configuration files, or critical system files."
This issue affects versions from 9.0.0 up to 9.7.0.
Details
Module Info
- Product: Apache Solr
- Affected packages: solr-core
- Affected versions: <=9.0.0 <9.8.0
- GitHub repository: https://github.com/apache/solr
- Published packages: https://central.sonatype.com/artifact/org.apache.solr/solr-core
- Package manager: Maven
- Fixed in: Solr 9.8.0
Vulnerability Info
Apache Solr instances running on Windows are vulnerable to arbitrary file write attacks due to insufficient input validation in the configset upload API. This vulnerability, commonly referred to as ZipSlip, arises when maliciously crafted ZIP archives containing relative file paths (../ sequences) are uploaded. Because Solr does not properly sanitize these paths, an attacker can manipulate the extracted file locations, potentially writing files outside the intended directory.
If exploited, this vulnerability can allow attackers to overwrite critical system files or drop malicious files in unintended locations, potentially leading to privilege escalation, remote code execution (RCE), or full system compromise. By modifying configuration files, deploying web shells, or tampering with authentication mechanisms, an attacker could gain unauthorized access and persist within the system. This issue is particularly dangerous on Windows, where default permissions may not strictly enforce directory access controls, making it easier for an attacker to manipulate files and escalate privileges.
Steps To Reproduce
- Setup Solr Instance on windows machine
- Run in standalone mode
- Ensure config api upload is enabled (default)
- Prepare a Malicious Zip File
- Details for this step will not be provided
- Upload file to configset upload api
- Validate file was uploaded
Credit
- rry
Mitigation
Apache Solr versions below or equal to 8.11.4 are no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.
Users of the affected components should apply one of the following mitigations:
- Upgrade Apache Solr to >=9.8.0 or use Solr’s “Rule-Based Authentication Plugin” to restrict access to the configset upload API.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.