1. About the Vulnerability
| Vulnerability Name |
Apache Solr Remote Code Execution Vulnerability (CVE-2023-50386) |
|---|---|
| Release Date |
February 20, 2024 |
| Component Name |
Apache Solr |
| Affected Versions |
6.0.0 ≤ Apache Solr < 8.11.3 |
| Vulnerability Type |
Remote Code Execution via |
| Severity |
CVSS v3 Base Score: 8.8 (High) |
| Exploitability |
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None |
| Impact |
Confidentiality Impact: High Integrity Impact: High Availability Impact: High |
2. About CVE-2023-50386
2.1 About the Component
Apache Solr is an open-source enterprise search platform written in Java. It is based on the Apache Lucene library and features high-performance full-text search.
2.2 About the Vulnerability
On February 20, 2024, Sangfor FarSight Labs received notification of the remote code execution vulnerability (CVE-2023-50386) in Apache Solr, classified as High severity (CVSS Score 8.8) by NVD.
This vulnerability in Apache Solr is caused by Solr ConfigSets accepting Java jar and class files to be uploaded through the ConfigSets API. When backing up Solr Collections, these ConfigSet files would be saved to disk when using the LocalFileSystemRepository (the default for backups). If the backup was saved to a directory that Solr uses in its ClassPath/ClassLoaders, then the jar and class files would be available to use with any ConfigSet, trusted or untrusted.
Attackers can exploit this vulnerability by crafting malicious class files and using the backup function to upload and execute these files, thereby obtaining server permissions.
3. Affected Versions
6.0.0 ≤ Apache Solr < 8.11.3
9.0.0 ≤ Apache Solr < 9.4.1
4. Solutions
4.1 Remediation Solutions
4.1.1 Official Solution
Apache has released new versions of Apache Solr, and affected users are strongly recommended to update to the latest version to fix the vulnerability. For more information, visit https://solr.apache.org/downloads.html
4.2 Sangfor Solutions
4.2.1 Security Monitoring
The following Sangfor products and services perform real-time monitoring of assets affected by the Apache Solr remote code execution vulnerability (CVE-2023-50386):
- Sangfor Cyber Command (Network Detection and Response)
- Sangfor Cyber Guardian (Managed Detection and Response)
4.2.2 Security Protection
The following Sangfor products and services provide protection against the Apache Solr remote code execution vulnerability (CVE-2023-50386):
- Sangfor Network Secure (Next-Generation Firewall)
- Sangfor Cyber Guardian (Managed Detection and Response)
5. Timeline
On February 20, 2024, Sangfor FarSight Labs received notification of the Apache Solr remote code execution vulnerability (CVE-2023-50386).
On February 20, 2024, Sangfor FarSight Labs released a vulnerability alert with remediation solutions.
6. References
https://nvd.nist.gov/vuln/detail/CVE-2023-50386
7. About Sangfor FarSight Labs
Sangfor FarSight Labs researches the latest cyberthreats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyberthreats, providing fast and easy protection for customers.
