CVE-2021-27905
published 2021-04-13CVE-2021-27905: The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is…
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOIT
Exploited in the wild
EPSS
93.05%
99.8th percentile
The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | solr | < 8.8.2 | 8.8.2 |
| apache_software_foundation | apache_solr | >= Apache Solr < 8.8.2 | 8.8.2 |
| debian | lucene-solr | < lucene-solr 3.6.2+dfsg-23 (bookworm) | lucene-solr 3.6.2+dfsg-23 (bookworm) |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SSRF exploitation attempts by monitoring HTTP requests to the Solr ReplicationHandler endpoint containing the 'masterUrl' or 'leaderUrl' parameter pointing to external/non-Solr hosts. ↗
- →Monitor for reconnaissance requests to /solr/admin/cores?wt=json which are used to enumerate Solr core names prior to exploitation of the ReplicationHandler SSRF. ↗
- →Alert on HTTP requests to any path matching /solr/<core>/replication with query parameters masterUrl= or leaderUrl= containing non-internal/non-Solr URLs. ↗
- →Nuclei template uses a regex extractor on the /solr/admin/cores?wt=json response to extract core names (group 1 of '"name":"(.*?)"') for use in subsequent ReplicationHandler SSRF probes.
- ·The vulnerability is fixed in Apache Solr 8.8.2 and later. Versions prior to 8.8.2 are affected. Patching to 8.8.2+ is the primary remediation. ↗
- ·As a compensating control, restrict network access to the /replication handler so only internal Solr instances can reach it, preventing external SSRF abuse. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Server-Side Request Forgery in Apache Solr
osv·2021-05-10
CVE-2021-27905 [HIGH] Server-Side Request Forgery in Apache Solr
Server-Side Request Forgery in Apache Solr
The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.
GHSA
Server-Side Request Forgery in Apache Solr
ghsa·2021-05-10
CVE-2021-27905 [HIGH] CWE-918 Server-Side Request Forgery in Apache Solr
Server-Side Request Forgery in Apache Solr
The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.
OSV
CVE-2021-27905: The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter t
osv·2021-04-13·CVSS 9.8
CVE-2021-27905 [CRITICAL] CVE-2021-27905: The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter t
The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.
Red Hat
solr: SSRF vulnerability with the Replication handler
vendor_redhat·2021-04-12·CVSS 9.8
CVE-2021-27905 [CRITICAL] CWE-918 solr: SSRF vulnerability with the Replication handler
solr: SSRF vulnerability with the Replication handler
The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.
A flaw was found in solr. The ReplicationHandler in Apache Solr does not check proper parameters when connecting to another Solr instance to replicate index data into the local core leading to a SSRF vulner
Debian
CVE-2021-27905: lucene-solr - The ReplicationHandler (normally registered at "/replication" under a Solr core)...
vendor_debian·2021·CVSS 9.8
CVE-2021-27905 [CRITICAL] CVE-2021-27905: lucene-solr - The ReplicationHandler (normally registered at "/replication" under a Solr core)...
The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.
Scope: local
bookworm: resolved (fixed in 3.6.2+dfsg-23)
bullseye: resolved (fixed in 3.6.2+dfsg-23)
forky: resolved (fixed in 3.6.2+dfsg-23)
sid: resolved (fixed in 3.6.2+dfsg-23)
trixie: resolved (fixed in 3.6.2+dfsg-23)
No detection rules found.
Nuclei
Apache Solr <=8.8.1 - Server-Side Request Forgery
nuclei·CVSS 9.8
CVE-2021-27905 [CRITICAL] Apache Solr <=8.8.1 - Server-Side Request Forgery
Apache Solr OK'
extractors:
- type: regex
name: core
group: 1
regex:
- '"name"\:"(.*?)"'
internal: true
# digest: 4a0a0047304502210083dec664cb9faef9f24e71f052dccd2680d940fb578ea6e14a8e2ce6482cb9bb02206db937637854a263ce3e905eb4c31b4ff31d197bcec0aa123983dc9383a3a8e0:922c64590222798bb761d5b6d8e72950
Qualys
Identify Server-Side Attacks Using Qualys Periscope | Qualys
blogs_qualys·2022-12-01·CVSS 8.8
[HIGH] Identify Server-Side Attacks Using Qualys Periscope | Qualys
#### Table of Contents
- Potential False Positives
- Potential False Negatives
Qualys previously announced the introduction of Qualys Periscope in 2020. This technology allows Qualys Web Application Scanning (WAS) to detect out-of-band vulnerabilities such as server-side request forgery (SSRF). Qualys Periscope provides confirmed detections for additional vulnerabilities, such as Log4j, where it enables rapid development and release of the QID. Occasionally, Qualys receives questions and support cases related to Qualys Periscope. This article will provide more detail on the common questions/situations seen with out-of-band detections.
As of publishing, the vulnerability detections that utilize Qualys Periscope are:
- QID 150055 – OS Command Injection
- QID 150179 – Blind XXE injection
Qualys
Identify Server-Side Attacks Using Qualys Periscope
blogs_qualys·2022-12-01·CVSS 8.8
[HIGH] Identify Server-Side Attacks Using Qualys Periscope
## Table of Contents
Potential False Positives
Potential False Negatives
Qualys previously announced the introduction of Qualys Periscope in 2020. This technology allows Qualys Web Application Scanning (WAS) to detect out-of-band vulnerabilities such as server-side request forgery (SSRF). Qualys Periscope provides confirmed detections for additional vulnerabilities, such as Log4j, where it enables rapid development and release of the QID. Occasionally, Qualys receives questions and support cases related to Qualys Periscope . This article will provide more detail on the common questions/situations seen with out-of-band detections.
As of publishing, the vulnerability detections that utilize Qualys Periscope are:
QID 150055 – OS Command Injection
QID 150179 – Blind XXE injection
QID 15
Unit42
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
blogs_unit42·2021-10-14
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
## Executive Summary
Recently, Unit 42 has observed active exploits related to an open-source service called Interactsh. This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers – but also by attackers – to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof of concept (PoC) for an exploit can insert Interactsh to check whether the PoC is working, but the service could also be used by attackers who want to be sure an exploit is working.
This blog will first introduce the Interactsh tool and how researchers or attackers can leverage it to perform vulnerability validation. We then describe some of the many exploits in the wild leveraging this tool, and we
Unit42
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
blogs_unit42·2021-10-14
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
Threat Research Center
Threat Research
Cybercrime
## Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
Yue Guan
Jin Chen
Leo Olson
Wayne Xin
Daiping Liu
Published: October 14, 2021
Cybercrime
Threat Research
Attack analysis
Exploit
Exploit in the wild
Interactsh
## Executive Summary
Recently, Unit 42 has observed active exploits related to an open-source service called Interactsh . This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers – but also by attackers – to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof of concept (PoC) for an exploit can insert Interactsh to check whether the PoC
HackerOne
SSRF due to CVE-2021-27905 in www.████████
hackerone·2022-04-29·CVSS 9.8
CVE-2021-27905 [CRITICAL] SSRF due to CVE-2021-27905 in www.████████
SSRF due to CVE-2021-27905 in www.████████
Apache Solr is vulnerable to SSRF using the parameter "masterUrl". This issue is registered as [CVE-2021-27905](https://nvd.nist.gov/vuln/detail/CVE-2021-27905).
## Impact
A successful SSRF attack can often result in unauthorized actions or access to data within the organization, either in the vulnerable application itself or on other back-end systems that the application can communicate with. In some situations, the SSRF vulnerability might allow an attacker to perform [arbitrary command execution](https://portswigger.net/web-security/os-command-injection).
An SSRF exploit that causes connections to external third-party systems might result in malicious onward attacks that appear to originate from the organization hosting the vulnerable appli
https://lists.apache.org/thread.html/r0ddc3a82bd7523b1453cb7a5e09eb5559517145425074a42eb326b10%40%3Cannounce.apache.org%3Ehttps://lists.apache.org/thread.html/r140128dc6bb4f4e0b6a39e962c7ca25a8cbc8e48ed766176c931fccc%40%3Cusers.solr.apache.org%3Ehttps://lists.apache.org/thread.html/r3da74965aba2b5f5744b7289ad447306eeb2940c872801819faa9314%40%3Cusers.solr.apache.org%3Ehttps://lists.apache.org/thread.html/r6ccec7fc54d82591b23c143f1f6a6e38f6e03e75db70870e4cb14a1a%40%3Ccommits.ofbiz.apache.org%3Ehttps://lists.apache.org/thread.html/r720a4a0497fc90bad5feec8aa18b777912ee15c7eeb5f882adbf523e%40%3Ccommits.ofbiz.apache.org%3Ehttps://lists.apache.org/thread.html/r78a3a4f1138a1608b0c6d4a2ee7647848c1a20b0d5c652cd9b02c25a%40%3Ccommits.ofbiz.apache.org%3Ehttps://lists.apache.org/thread.html/r8f1152a43c36d878bbeb5a92f261e9efaf3af313b033d7acfccea59d%40%3Cnotifications.ofbiz.apache.org%3Ehttps://lists.apache.org/thread.html/r95df34bb158375948da82b4dfe9a1b5d528572d586584162f8f5aeef%40%3Cusers.solr.apache.org%3Ehttps://lists.apache.org/thread.html/rae9ccaecce9859f709ed1458545d90a4c07163070dc98b5e9e59057f%40%3Cnotifications.ofbiz.apache.org%3Ehttps://lists.apache.org/thread.html/rd232d77c57a8ce172359ab098df9512d8b37373ab87c444be911b430%40%3Cnotifications.ofbiz.apache.org%3Ehttps://lists.apache.org/thread.html/re9d64bb8e5dfefddcbf255adb4559e13a0df5b818da1b9b51329723f%40%3Cnotifications.ofbiz.apache.org%3Ehttps://security.netapp.com/advisory/ntap-20210611-0009/https://lists.apache.org/thread.html/r0ddc3a82bd7523b1453cb7a5e09eb5559517145425074a42eb326b10%40%3Cannounce.apache.org%3Ehttps://lists.apache.org/thread.html/r140128dc6bb4f4e0b6a39e962c7ca25a8cbc8e48ed766176c931fccc%40%3Cusers.solr.apache.org%3Ehttps://lists.apache.org/thread.html/r3da74965aba2b5f5744b7289ad447306eeb2940c872801819faa9314%40%3Cusers.solr.apache.org%3Ehttps://lists.apache.org/thread.html/r6ccec7fc54d82591b23c143f1f6a6e38f6e03e75db70870e4cb14a1a%40%3Ccommits.ofbiz.apache.org%3Ehttps://lists.apache.org/thread.html/r720a4a0497fc90bad5feec8aa18b777912ee15c7eeb5f882adbf523e%40%3Ccommits.ofbiz.apache.org%3Ehttps://lists.apache.org/thread.html/r78a3a4f1138a1608b0c6d4a2ee7647848c1a20b0d5c652cd9b02c25a%40%3Ccommits.ofbiz.apache.org%3Ehttps://lists.apache.org/thread.html/r8f1152a43c36d878bbeb5a92f261e9efaf3af313b033d7acfccea59d%40%3Cnotifications.ofbiz.apache.org%3Ehttps://lists.apache.org/thread.html/r95df34bb158375948da82b4dfe9a1b5d528572d586584162f8f5aeef%40%3Cusers.solr.apache.org%3Ehttps://lists.apache.org/thread.html/rae9ccaecce9859f709ed1458545d90a4c07163070dc98b5e9e59057f%40%3Cnotifications.ofbiz.apache.org%3Ehttps://lists.apache.org/thread.html/rd232d77c57a8ce172359ab098df9512d8b37373ab87c444be911b430%40%3Cnotifications.ofbiz.apache.org%3Ehttps://lists.apache.org/thread.html/re9d64bb8e5dfefddcbf255adb4559e13a0df5b818da1b9b51329723f%40%3Cnotifications.ofbiz.apache.org%3Ehttps://security.netapp.com/advisory/ntap-20210611-0009/
2021-04-13
Published
Exploited in the wild