Bug 1774734 (CVE-2019-12409)

Summary: CVE-2019-12409 solr: JMX monitoring service exposed without authentication in default configuration
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aboyko, aileenc, asoldano, atangrin, bbaranow, bmaxwell, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dkreling, dosoudil, drieden, extras-orphan, gvarsami, iweiss, jawilson, jcoleman, jolee, jperkins, jschatte, jstastny, kconner, krathod, kwills, ldimaggi, lgao, msochure, msvehla, nwallace, pmackay, psotirop, puntogil, rguimara, rsvoboda, rwagner, smaestri, tcunning, tkirby, tom.jenkinson, twalsh, vhalbert
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in Apache Solr, where it contains an insecure setting in the default configuration that exposes unauthenticated access to the JMX monitoring service. This flaw allows an attacker to upload malicious code for execution on the Solr server.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-23 02:10:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1774735    
Bug Blocks: 1774737    

Description Pedro Sampaio 2019-11-20 20:01:45 UTC 
The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr. If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.

References:

https://lists.apache.org/thread.html/6640c7e370fce2b74e466a605a46244ccc40666ad9e3064a4e04a85d@%3Csolr-user.lucene.apache.org%3E
Comment 1 Pedro Sampaio 2019-11-20 20:02:05 UTC 
Created solr3 tracking bugs for this issue:

Affects: fedora-all [bug 1774735]
Comment 2 Kunjan Rathod 2019-11-21 22:18:00 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat Enterprise Application Platform 6
 * Red Hat JBoss Fuse Service Works 6


Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 3 Chess Hazlett 2020-01-22 22:01:22 UTC 
External References:

https://lucene.apache.org/solr/news.html#18-november-2019-cve-2019-12409-apache-solr-rce-vulnerability-due-to-bad-config-default
Comment 4 Chess Hazlett 2020-01-22 22:01:24 UTC 
Mitigation:

Per Solr guidance: "Make sure your effective solr.in.sh file has ENABLE_REMOTE_JMX_OPTS set to 'false' on every Solr node and then restart Solr. Note that the effective solr.in.sh file may reside in /etc/defaults/ or another location depending on the install. You can then validate that the 'com.sun.management.jmxremote*' family of properties are not listed in the "Java Properties" section of the Solr Admin UI, or configured in a secure way. There is no need to upgrade or update any code."
Comment 6 Product Security DevOps Team 2020-01-23 02:10:09 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-12409