Core creation allows users to replace trusted configset files with arbitrary configuration
Solr instances that (1) use the FileSystemConfigSetService component (the default in standalone or user-managed mode), and (2) are running without authentication and authorization are vulnerable to a sort of privilege escalation wherein individual trusted configset files can be ignored in favor of potentially-untrusted replacements available elsewhere on the filesystem. These replacement config files are treated as trusted and can use tags to add to Solrs classpath, which an attacker might use to load malicious code as a searchComponent or other plugin.
This issue affects all Apache Solr versions up through Solr 9.7. Users can protect against the vulnerability by enabling authentication and authorization on their Solr clusters or switching to SolrCloud (and away from FileSystemConfigSetService). Users are also recommended to upgrade to Solr 9.8.0, which mitigates this issue by disabling use of tags by default.
The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Lucene-solr | Ubuntu | upstream | * |
New weaknesses can be exposed because running with extra privileges, such as root or Administrator, can disable the normal security checks being performed by the operating system or surrounding environment. Other pre-existing weaknesses can turn into security vulnerabilities if they occur while operating at raised privileges. Privilege management functions can behave in some less-than-obvious ways, and they have different quirks on different platforms. These inconsistencies are particularly pronounced if you are transitioning from one non-root user to another. Signal handlers and spawned processes run at the privilege of the owning process, so if a process is running as root when a signal fires or a sub-process is executed, the signal handler or sub-process will operate with root privileges.