Critical Apache Solr Vulnerability Grants Write Access to Attackers on Windows

A new security vulnerability has been uncovered in Apache Solr, affecting versions 6.6 through 9.7.0.

The issue, classified as a Relative Path Traversal vulnerability, exposes Solr instances running on Windows to potential risks of arbitrary file path manipulation and write-access.

Tracked as SOLR-17543, this vulnerability could permit attackers to exploit the “configset upload” API through a maliciously crafted ZIP file.

Exploiting File Path Manipulation Through Zipslip

The vulnerability stems from improper input sanitation in Solr’s “configset upload” API.

This flaw enables attackers to execute what is commonly referred to as a “zipslip” attack, leveraging malicious ZIP files containing relative file paths to overwrite or write files in unexpected locations within the filesystem.

Because certain components of Windows file path processing are more prone to exploitation, Solr instances hosted on Windows platforms are particularly at risk.

The attack could allow unauthorized write-access to critical system files, potentially compromising the integrity of the Solr application and the broader system it is part of.

Upgrade or Restrict Access

To address and eliminate the vulnerability, Apache Solr has released version 9.8.0, which includes a comprehensive fix for the issue.

Users operating on affected versions are strongly encouraged to upgrade to version 9.8.0 to secure their systems against potential exploits.

For organizations unable to perform an immediate upgrade, a mitigation strategy involves leveraging Solr’s “Rule-Based Authentication Plugin.”

By configuring this plugin to restrict access to the “configset upload” API to a trusted set of administrators or authorized users, the risk of exploitation can be significantly reduced.

Proper access control ensures that only vetted individuals or systems can interact with this sensitive API endpoint, effectively minimizing exposure to the vulnerability.

The vulnerability underscores the importance of maintaining updated software and implementing robust security controls.

Users are advised to evaluate their current Solr deployment for any potential exposure to this flaw.

Systems running on Windows environments, in particular, should be prioritized for patching or mitigation, given the elevated risk of exploitation on this platform.

Organizations should also review their access control policies and monitor API activity to detect and prevent any anomalous behavior.

The identification of SOLR-17543 highlights the ongoing need for vigilance in securing open-source software deployments.

While the release of Solr 9.8.0 provides a definitive resolution, proactive measures such as authentication and API restriction serve as critical interim safeguards to protect sensitive environments.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free