cbcvebase.
CVE-2019-12409
published 2019-11-18

CVE-2019-12409: The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
21.87%
97.3th percentile
The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr. If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.

Affected

4 ranges
VendorProductVersion rangeFixed in
apachesolr
apachesolr
apachesolr
debianlucene-solr

Detection & IOCsextracted from sources · hover to see the quote

port18983
  • Detect unauthenticated exposure of JMX/RMI on port 18983; inbound connections to this port on Solr nodes running versions 8.1.1 or 8.2.0 indicate exploitation of CVE-2019-12409.
  • Alert on the presence of 'com.sun.management.jmxremote*' properties in the Solr Admin UI Java Properties section, which confirms the vulnerable JMX configuration is active.
  • For Kinsing/H2Miner post-exploitation: monitor for child processes spawned under the Apache Solr Java process writing to /tmp (e.g., /tmp/zzz) and making outbound curl/wget connections, which indicates successful RCE via CVE-2019-12409.
  • Detect use of PRoot with the '-S' flag combined with dropped archive filesystems on compromised Solr hosts, a technique used to bypass host-based detections after initial access via CVE-2019-12409.
  • Monitor for the ngrok token '1xTuUNq7C1dGOlcNLDTE6w1x5Kf_52a2n6e18VgdiWYc9AzFS' in process arguments or configuration files on compromised Solr hosts.
  • Verify solr.in.sh has ENABLE_REMOTE_JMX_OPTS set to 'false'; the presence of the default 'true' value in versions 8.1.1/8.2.0 is the direct indicator of the vulnerable configuration.
  • ·The vulnerable configuration is only present in the DEFAULT solr.in.sh shipped with versions 8.1.1 and 8.2.0; installations that have customized this file may not be affected.
  • ·The effective solr.in.sh may reside in /etc/defaults/ or another non-standard location depending on the install method; scanning only the default path may miss the vulnerable file.
  • ·Exploitation requires the RMI_PORT (18983) to be reachable from the attacker; instances behind a firewall blocking this port are not directly exploitable over the network, though lateral movement from an internal attacker remains a risk.
  • ·The -Dlog4j2.formatMsgNoLookups=true JVM flag observed in the wild on these Solr instances suggests operators may have partially mitigated CVE-2021-44228 (Log4Shell) but left CVE-2019-12409 unpatched; detection logic should not assume one mitigation implies the other.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.