Bug 1774734 (CVE-2019-12409)
Summary: | CVE-2019-12409 solr: JMX monitoring service exposed without authentication in default configuration | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | aboyko, aileenc, asoldano, atangrin, bbaranow, bmaxwell, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dkreling, dosoudil, drieden, extras-orphan, gvarsami, iweiss, jawilson, jcoleman, jolee, jperkins, jschatte, jstastny, kconner, krathod, kwills, ldimaggi, lgao, msochure, msvehla, nwallace, pmackay, psotirop, puntogil, rguimara, rsvoboda, rwagner, smaestri, tcunning, tkirby, tom.jenkinson, twalsh, vhalbert |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was discovered in Apache Solr, where it contains an insecure setting in the default configuration that exposes unauthenticated access to the JMX monitoring service. This flaw allows an attacker to upload malicious code for execution on the Solr server.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-01-23 02:10:09 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1774735 | ||
Bug Blocks: | 1774737 |
Description
Pedro Sampaio
2019-11-20 20:01:45 UTC
Created solr3 tracking bugs for this issue: Affects: fedora-all [bug 1774735] This vulnerability is out of security support scope for the following products: * Red Hat Enterprise Application Platform 6 * Red Hat JBoss Fuse Service Works 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. External References: https://lucene.apache.org/solr/news.html#18-november-2019-cve-2019-12409-apache-solr-rce-vulnerability-due-to-bad-config-default Mitigation: Per Solr guidance: "Make sure your effective solr.in.sh file has ENABLE_REMOTE_JMX_OPTS set to 'false' on every Solr node and then restart Solr. Note that the effective solr.in.sh file may reside in /etc/defaults/ or another location depending on the install. You can then validate that the 'com.sun.management.jmxremote*' family of properties are not listed in the "Java Properties" section of the Solr Admin UI, or configured in a secure way. There is no need to upgrade or update any code." This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-12409 |