cbcvebase.
CVE-2023-50386
published 2024-02-09

CVE-2023-50386: Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control…

PriorityP187high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
83.84%
99.7th percentile
Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. In the affected versions, Solr ConfigSets accepted Java jar and class files to be uploaded through the ConfigSets API. When backing up Solr Collections, these configSet files would be saved to disk when using the LocalFileSystemRepository (the default for backups). If the backup was saved to a directory that Solr uses in its ClassPath/ClassLoaders, then the jar and class files would be available to use with any ConfigSet, trusted or untrusted. When Solr is run in a secure way (Authorization enabled), as is strongly suggested, this vulnerability is limited to extending the Backup permissions with the ability to add libraries. Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue. In these versions, the following protections have been added: * Users are no longer able to upload files to a configSet that could be executed via a Java ClassLoader. * The Backup API restricts saving backups to directories that are used in the ClassLoader.

Affected

5 ranges
VendorProductVersion rangeFixed in
apachesolr>= 6.0.0 < 8.11.38.11.3
apachesolr>= 9.0.0 < 9.4.19.4.1
apache_software_foundationapache_solr6.0.0 – 8.11.2
apache_software_foundationapache_solr>= 9.0.0 < 9.4.19.4.1
debianlucene-solr< lucene-solr 3.6.2+dfsg-23 (bookworm)lucene-solr 3.6.2+dfsg-23 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/apache_solr_backup_restore.rb
  • Monitor the Solr ConfigSets API for uploads of .jar or .class files, which are not legitimate configuration artifacts and indicate exploitation attempts.
  • Alert on Solr Backup API calls that specify a backup destination directory overlapping with Solr's ClassPath/ClassLoader directories, as this is the pivotal step that enables RCE.
  • Detect the exploit chain: (1) upload of a malicious .jar/.class via ConfigSets API, followed by (2) a Collection backup operation targeting a ClassLoader directory — the combination is the RCE trigger.
  • Flag unexpected or anomalous HTTP requests to Solr's /solr/<collection>/config or /api/collections/<collection>/config endpoints that include multipart file uploads with .jar or .class MIME types.
  • On disk, watch for .jar or .class files appearing inside Solr's classpath directories (e.g., lib/, server/solr-webapp/webapp/WEB-INF/lib/) as a result of a backup restore operation.
  • A public Metasploit module (linux/http/apache_solr_backup_restore) exists for this CVE; correlate IDS/WAF logs for Metasploit default User-Agent strings against Solr HTTP endpoints.
  • ·The vulnerability is only exploitable when the Backup API uses the default LocalFileSystemRepository; deployments using a non-local (e.g., HDFS, S3) backup repository are not exposed to the ClassLoader-poisoning path.
  • ·When Solr Authorization is enabled (the recommended secure configuration), the attack surface is reduced to principals who already hold Backup permissions — it does not eliminate the risk entirely.
  • ·Affected version range is Apache Solr 6.0.0–8.11.2 and 9.0.0–9.4.0; versions 8.11.3 and 9.4.1 contain the fix and are not vulnerable.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vulncheck8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
vendor_oracle6.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.