Fedora Account System
Red Hat Associate
Red Hat Customer
In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side. Reference: http://mail-archives.us.apache.org/mod_mbox/www-announce/201903.mbox/%3CCAECwjAV1buZwg%2BMcV9EAQ19MeAWztPVJYD4zGK8kQdADFYij1w%40mail.gmail.com%3E
Created solr3 tracking bugs for this issue: Affects: fedora-all [bug 1692346]
Mitigation: * Upgrade to 6.6.6 or later * Disable the ConifgAPI if not in use (`disable.configEdit=true`) * Use other external means to ensure only trusted traffic is allowed (block POST requests to the config API from external sources)
This issue has been addressed in the following products: Red Hat Fuse 7.4.0 Via RHSA-2019:2413 https://access.redhat.com/errata/RHSA-2019:2413
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-0192