Digging out this old thread since I am looking for an answer to the same question. To Matthew's response above, since the /replication is an implicit handler, even if removed from solrconfig.xml, it would still work. I looked around (aka Googled) to find a way in which someone exploited this vulnerability, but couldn't find it. That would help us get an idea about patching it. If anyone knows more about this CVE or can point me to JIRA for the same, that would be great.
Thanks, Rahul On Fri, Jun 18, 2021 at 9:47 AM matthew sporleder <[email protected]> wrote: > I believe these are all related to exposed api/admin endpoints so your > network is probably protecting you but poor input sanitation could > expose you, of course- like > /myappsearch?search=../../replication?evilpayload (classic sql-style > injection style) > > If you have, literally, removed the handlers for those url endpoints > from your config I think you are pretty safe. > > On Fri, Jun 18, 2021 at 6:54 AM Anchal Sharma2 <[email protected]> > wrote: > > > > Hi All, > > > > We are currently using Solr Cloud(solr version 8.6.3) in our application > .Since it doesn't use master-slave solr approach we do not have replication > handler set up (to replicate master to slave)set up on any of our solr > nodes. > > Could some one please confirm ,if following vulnerability is still > applicable for us? > > > > CVE-2021-27905 Apache Solr ReplicationHandler/SSRF vulnerability > > Description: A critical vulnerability was found in Apache Solr up to > 8.8.1 (CVSS 9.8). Affected by this vulnerability is an unknown code block > of the file /replication; the manipulation of the argument > masterUrl/leaderUrl with an unknown input can lead to a privilege > escalation vulnerability. *Note: There are now POCs targeting > CVE-2021-27905 (Apache Solr <= 8.8.1 SSRF), CVE-2017-12629 (Remote Code > Execution via SSRF), and CVE-2019-0193 (DataImportHandler). There are also > Metasploit modules for the Apache Solr Velocity RCE, and two Apache OFBiz > vulnerabilities. Given the number of vulnerabilities, severity, and > availability of POCs, it is highly recommended that any vulnerable systems > be patched as soon as possible. > > > > Thanks > > Anchal Sharma >
