cbcvebase.
CVE-2021-27905
published 2021-04-13

CVE-2021-27905: The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is…

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOIT
Exploited in the wild
EPSS
93.05%
99.8th percentile
The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.

Affected

3 ranges
VendorProductVersion rangeFixed in
apachesolr< 8.8.28.8.2
apache_software_foundationapache_solr>= Apache Solr < 8.8.28.8.2
debianlucene-solr< lucene-solr 3.6.2+dfsg-23 (bookworm)lucene-solr 3.6.2+dfsg-23 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

url/solr/admin/cores?wt=json
path/replication
commandGET /solr/admin/cores?wt=json
commandmasterUrl=http://<external-host>
  • Detect SSRF exploitation attempts by monitoring HTTP requests to the Solr ReplicationHandler endpoint containing the 'masterUrl' or 'leaderUrl' parameter pointing to external/non-Solr hosts.
  • Monitor for reconnaissance requests to /solr/admin/cores?wt=json which are used to enumerate Solr core names prior to exploitation of the ReplicationHandler SSRF.
  • Alert on HTTP requests to any path matching /solr/<core>/replication with query parameters masterUrl= or leaderUrl= containing non-internal/non-Solr URLs.
  • Nuclei template uses a regex extractor on the /solr/admin/cores?wt=json response to extract core names (group 1 of '"name":"(.*?)"') for use in subsequent ReplicationHandler SSRF probes.
  • ·The vulnerability is fixed in Apache Solr 8.8.2 and later. Versions prior to 8.8.2 are affected. Patching to 8.8.2+ is the primary remediation.
  • ·As a compensating control, restrict network access to the /replication handler so only internal Solr instances can reach it, preventing external SSRF abuse.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.