CVE-2019-12409
published 2019-11-18CVE-2019-12409: The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh…
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
21.87%
97.3th percentile
The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr. If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | solr | — | — |
| apache | solr | — | — |
| apache | solr | — | — |
| debian | lucene-solr | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated exposure of JMX/RMI on port 18983; inbound connections to this port on Solr nodes running versions 8.1.1 or 8.2.0 indicate exploitation of CVE-2019-12409. ↗
- →Alert on the presence of 'com.sun.management.jmxremote*' properties in the Solr Admin UI Java Properties section, which confirms the vulnerable JMX configuration is active. ↗
- →For Kinsing/H2Miner post-exploitation: monitor for child processes spawned under the Apache Solr Java process writing to /tmp (e.g., /tmp/zzz) and making outbound curl/wget connections, which indicates successful RCE via CVE-2019-12409. ↗
- →Detect use of PRoot with the '-S' flag combined with dropped archive filesystems on compromised Solr hosts, a technique used to bypass host-based detections after initial access via CVE-2019-12409. ↗
- →Monitor for the ngrok token '1xTuUNq7C1dGOlcNLDTE6w1x5Kf_52a2n6e18VgdiWYc9AzFS' in process arguments or configuration files on compromised Solr hosts. ↗
- →Verify solr.in.sh has ENABLE_REMOTE_JMX_OPTS set to 'false'; the presence of the default 'true' value in versions 8.1.1/8.2.0 is the direct indicator of the vulnerable configuration. ↗
- ·The vulnerable configuration is only present in the DEFAULT solr.in.sh shipped with versions 8.1.1 and 8.2.0; installations that have customized this file may not be affected. ↗
- ·The effective solr.in.sh may reside in /etc/defaults/ or another non-standard location depending on the install method; scanning only the default path may miss the vulnerable file. ↗
- ·Exploitation requires the RMI_PORT (18983) to be reachable from the attacker; instances behind a firewall blocking this port are not directly exploitable over the network, though lateral movement from an internal attacker remains a risk. ↗
- ·The -Dlog4j2.formatMsgNoLookups=true JVM flag observed in the wild on these Solr instances suggests operators may have partially mitigated CVE-2021-44228 (Log4Shell) but left CVE-2019-12409 unpatched; detection logic should not assume one mitigation implies the other. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
solr: JMX monitoring service exposed without authentication in default configuration
vendor_redhat·2019-11-18·CVSS 9.8
CVE-2019-12409 [CRITICAL] CWE-306 solr: JMX monitoring service exposed without authentication in default configuration
solr: JMX monitoring service exposed without authentication in default configuration
The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr. If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.
A flaw was discovered in Apache Solr, where it contains an insecure setting in the default configuration that exposes unauth
Debian
CVE-2019-12409: lucene-solr - The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ...
vendor_debian·2019·CVSS 9.8
CVE-2019-12409 [CRITICAL] CVE-2019-12409: lucene-solr - The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ...
The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr. If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
GHSA
Unrestricted upload of file with dangerous type in Apache Solr
ghsa·2020-01-28
CVE-2019-12409 [CRITICAL] CWE-434 Unrestricted upload of file with dangerous type in Apache Solr
Unrestricted upload of file with dangerous type in Apache Solr
The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr. If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.
OSV
Unrestricted upload of file with dangerous type in Apache Solr
osv·2020-01-28
CVE-2019-12409 [CRITICAL] Unrestricted upload of file with dangerous type in Apache Solr
Unrestricted upload of file with dangerous type in Apache Solr
The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr. If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.
No detection rules found.
No public exploits indexed.
Wiz
Summer '23 Cryptomining Attacks: Analysis + Recommendations | Wiz Blog
blogs_wiz·2023-09-06
Summer '23 Cryptomining Attacks: Analysis + Recommendations | Wiz Blog
During the summer of 2023, Wiz Research detected several different cryptomining incidents targeting cloud workloads. Combining Wiz Runtime Sensor events and information from Wiz agentless scanning, we were able to pinpoint security flaws that led to the attackers’ initial access, assess the scope of the compromised resources, and analyze the attackers’ activities.
Cryptomining stands out as a common threat to cloud workloads since it takes advantage of paid computing resources and yields direct monetary gains for the attackers. The threat actors behind these activities are mostly interested in making quick profits, aiming to spread their opportunistic mining operations as far and as wide as possible. Typically, these attacks aren't very complex or stealthy. The attackers usually look for
Wiz
Summer '23 Cryptomining Attacks: Analysis + Recommendations | Wiz Blog
blogs_wiz·2023-09-06
Summer '23 Cryptomining Attacks: Analysis + Recommendations | Wiz Blog
During the summer of 2023, Wiz Research detected several different cryptomining incidents targeting cloud workloads. Combining Wiz Runtime Sensor events and information from Wiz agentless scanning, we were able to pinpoint security flaws that led to the attackers’ initial access, assess the scope of the compromised resources, and analyze the attackers’ activities.
Cryptomining stands out as a common threat to cloud workloads since it takes advantage of paid computing resources and yields direct monetary gains for the attackers. The threat actors behind these activities are mostly interested in making quick profits, aiming to spread their opportunistic mining operations as far and as wide as possible. Typically, these attacks aren't very complex or stealthy. The attackers usually look for
Tenable
CVE-2020-14882: Oracle WebLogic Remote Code Execution Vulnerability Exploited in the Wild
blogs_tenable·2020-10-29·CVSS 9.8
[CRITICAL] CVE-2020-14882: Oracle WebLogic Remote Code Execution Vulnerability Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2019-12409: Default Configuration in Apache Solr Could Lead to Remote Code Execution
blogs_tenable·2019-11-19·CVSS 9.8
[CRITICAL] CVE-2019-12409: Default Configuration in Apache Solr Could Lead to Remote Code Execution
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bugzilla
CVE-2019-12409 solr3: solr: JMX monitoring service exposed without authentication in default configuration [fedora-all]
bugzilla·2019-11-20·CVSS 9.8
CVE-2019-12409 [CRITICAL] CVE-2019-12409 solr3: solr: JMX monitoring service exposed without authentication in default configuration [fedora-all]
CVE-2019-12409 solr3: solr: JMX monitoring service exposed without authentication in default configuration [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this
Bugzilla
CVE-2019-12409 solr: JMX monitoring service exposed without authentication in default configuration
bugzilla·2019-11-20·CVSS 9.8
CVE-2019-12409 [CRITICAL] CVE-2019-12409 solr: JMX monitoring service exposed without authentication in default configuration
CVE-2019-12409 solr: JMX monitoring service exposed without authentication in default configuration
The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr. If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.
References:
https://lists.apache.org/thread.html/6640c7e370fce2b74e466a605a46244ccc40666ad9e3064a4e04a85d@%3
https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-12409-RCE%20Vulnerability%20Due%20to%20Bad%20Defalut%20Config-Apache%20Solrhttps://lists.apache.org/thread.html/47e112035b4aa67ece3b75dbcd1b9c9212895b9dfe2a71f6f7c174e2%40%3Cannounce.apache.org%3Ehttps://lists.apache.org/thread.html/6640c7e370fce2b74e466a605a46244ccc40666ad9e3064a4e04a85d%40%3Csolr-user.lucene.apache.org%3Ehttps://lists.apache.org/thread.html/925cdb49ceae78baddb45da7beb9b4d2b1ddc4a8e318c65e91fb4e87%40%3Cissues.lucene.apache.org%3Ehttps://lists.apache.org/thread.html/a044eae4f6f5b0160ece5bf9cc4c0dad90ce7dd9bb210a9dc50b54be%40%3Cgeneral.lucene.apache.org%3Ehttps://lists.apache.org/thread.html/ce7c0b456b15f6c7518adefa54ec948fed6de8e951a2584500c1e541%40%3Cissues.lucene.apache.org%3Ehttps://support.f5.com/csp/article/K23720587?utm_source=f5support&%3Butm_medium=RSShttps://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-12409-RCE%20Vulnerability%20Due%20to%20Bad%20Defalut%20Config-Apache%20Solrhttps://lists.apache.org/thread.html/47e112035b4aa67ece3b75dbcd1b9c9212895b9dfe2a71f6f7c174e2%40%3Cannounce.apache.org%3Ehttps://lists.apache.org/thread.html/6640c7e370fce2b74e466a605a46244ccc40666ad9e3064a4e04a85d%40%3Csolr-user.lucene.apache.org%3Ehttps://lists.apache.org/thread.html/925cdb49ceae78baddb45da7beb9b4d2b1ddc4a8e318c65e91fb4e87%40%3Cissues.lucene.apache.org%3Ehttps://lists.apache.org/thread.html/a044eae4f6f5b0160ece5bf9cc4c0dad90ce7dd9bb210a9dc50b54be%40%3Cgeneral.lucene.apache.org%3Ehttps://lists.apache.org/thread.html/ce7c0b456b15f6c7518adefa54ec948fed6de8e951a2584500c1e541%40%3Cissues.lucene.apache.org%3Ehttps://support.f5.com/csp/article/K23720587?utm_source=f5support&%3Butm_medium=RSS
2019-11-18
Published