Bug 1774734 (CVE-2019-12409) - CVE-2019-12409 solr: JMX monitoring service exposed without authentication in default configuration
Summary: CVE-2019-12409 solr: JMX monitoring service exposed without authentication in...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2019-12409
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1774735
Blocks: 1774737
TreeView+ depends on / blocked
 
Reported: 2019-11-20 20:01 UTC by Pedro Sampaio
Modified: 2020-01-23 02:10 UTC (History)
42 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-01-23 02:10:09 UTC


Attachments (Terms of Use)

Description Pedro Sampaio 2019-11-20 20:01:45 UTC
The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr. If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.

References:

https://lists.apache.org/thread.html/6640c7e370fce2b74e466a605a46244ccc40666ad9e3064a4e04a85d@%3Csolr-user.lucene.apache.org%3E

Comment 1 Pedro Sampaio 2019-11-20 20:02:05 UTC
Created solr3 tracking bugs for this issue:

Affects: fedora-all [bug 1774735]

Comment 2 Kunjan Rathod 2019-11-21 22:18:00 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat Enterprise Application Platform 6
 * Red Hat JBoss Fuse Service Works 6


Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 4 Chess Hazlett 2020-01-22 22:01:24 UTC
Mitigation:

Per Solr guidance: "Make sure your effective solr.in.sh file has ENABLE_REMOTE_JMX_OPTS set to 'false' on every Solr node and then restart Solr. Note that the effective solr.in.sh file may reside in /etc/defaults/ or another location depending on the install. You can then validate that the 'com.sun.management.jmxremote*' family of properties are not listed in the "Java Properties" section of the Solr Admin UI, or configured in a secure way. There is no need to upgrade or update any code."

Comment 6 Product Security DevOps Team 2020-01-23 02:10:09 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-12409


Note You need to log in before you can comment on or make changes to this bug.