Apache Solr Remote Code Execution Vulnerability via Velocity Templates

A remote code execution vulnerability has been identified in Apache Solr versions 5.0.0 through 8.3.1. The issue arises in the VelocityResponseWriter component, where an attacker can exploit custom Velocity templates. While parameter-provided templates are disabled by default, they can be enabled by configuring 'params.resource.loader.enabled' to true, allowing the execution of malicious templates. This vulnerability is particularly concerning as it has been reported to cause crashes in the Solr process, leading to service disruptions.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Solr is running. Additionally, there have been reports of this vulnerability causing the Solr process to crash, leading to service interruptions.

Reproduction

To reproduce this vulnerability, upload a malicious Velocity template to a vulnerable Solr instance. This can be done by placing the template in a configset 'velocity/' directory or by using the 'v.template.custom' parameter in a Solr request. If using a custom configset, ensure that 'params.resource.loader.enabled' is set to true and that the configset is trusted. Once the template is uploaded or specified, the Velocity response writer can be used to execute arbitrary code on the server.

Remediation

Users can upgrade to Apache Solr versions 8.4 or 7.7.3, both of which address this vulnerability. For those using Solr 7.7.2, it is recommended to block external access to the Solr API, as this vulnerability can be exploited remotely.