Bug 1949516 (CVE-2021-27905) - CVE-2021-27905 solr: SSRF vulnerability with the Replication handler
Summary: CVE-2021-27905 solr: SSRF vulnerability with the Replication handler
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2021-27905
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1949524
TreeView+ depends on / blocked
 
Reported: 2021-04-14 13:18 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-05-05 20:33 UTC (History)
53 users (show)

Fixed In Version: Solr 8.8.2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in solr. The ReplicationHandler in Apache Solr does not check proper parameters when connecting to another Solr instance to replicate index data into the local core leading to a SSRF vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-05-05 20:33:52 UTC
Embargoed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-04-14 13:18:34 UTC 
The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.

Reference:
https://lists.apache.org/thread.html/r0ddc3a82bd7523b1453cb7a5e09eb5559517145425074a42eb326b10%40%3Cannounce.apache.org%3E
Comment 6 Eric Christensen 2021-05-03 13:17:37 UTC 
Mitigation:

Restrict access to the replication handler to only internal Solr instances.
Comment 8 Product Security DevOps Team 2021-05-05 20:33:52 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-27905
Note You need to log in before you can comment on or make changes to this bug.