CVE-2019-12409:Default Configuration in Apache Solr Could Lead to Remote Code Execution
Linux servers using Apache Solr versions 8.1.1 and 8.2.0 with default configurations are potentially vulnerable to remote code execution.
Antecedentes
On July 22, 2019, a configuration flaw in versions 8.1.1 and 8.2.0 was found in Apache Solr, the open-source search-engine platform. John Ryan originally reported the issue and credit was also given to Matei “Mal” Badanoiu for noting the flaw could lead to remote code execution (RCE).
Análisis
CVE-2019-12409 is a flaw in the default configuration of the solr.in.sh file in Apache Solr. If this file is used in its default configuration in versions 8.1.1 and 8.2.0, unauthenticated access to the Java Management Extensions (JMX) monitoring on the RMI_PORT (default 18983) is allowed. Anyone with access to a vulnerable Solr server, and, in turn, JMX, could upload malicious code that could then be executed.
Prueba de concepto
There is currently a proof of concept (PoC) available in a GitHub repository implementing the MJET script by MOGWAI LABS to create a reverse shell on a system with the vulnerable configuration.
CVE-2019-12409 Apache Solr RCE pic.twitter.com/NFClK5M5od
— Jas502n (@jas502n) November 19, 2019
Solución
On November 18, Apache Solr revised the originally reported bug report after it was found that the flaw could lead to RCE. In addition, the Changelog highlighted this flaw as one of the fixes in Apache Solr version 8.3.
Per the security advisory, this vulnerability can also be remediated by setting the ENABLE_REMOTE_JMX_OPTS parameter to ’false’ in the solr.in.sh file. The change can be confirmed by ensuring the com.sun.management.jmxremote* properties are not listed in the Solr Admin interface under the Java Properties section.
Identificación de los sistemas afectados
A list of Tenable plugins to identify this vulnerability will appear here as they’re released.
Obtenga más información
- Solr Security Advisory
- Attacking RMI Based JMX Services
- Solr Bug Tracker for CVE-2019-12409
- GitHub Repository with PoC for CVE-2019-12409
Únase al Equipo de respuesta de seguridad de Tenable en Tenable Community.
Obtenga más información sobre Tenable, la primera plataforma de Cyber Exposure para el control integral de la superficie de ataque moderna.
Get a free 60-day trial of Tenable.io Vulnerability Management.
Rody Quinlan
Staff Research Engineer, Security Response
Rody Quinlan previously worked at Tenable and in mid 2024 returned as a member of the Security Response Team (SRT). Prior to this he led the Security Operations team at Fenergo, a fintech unicorn, for a number of years delivering a number of functions including incident response, threat intelligence and vulnerability management. He has also worked previously as a Senior Threat & Vulnerability Management Analyst for one of Ireland's pillar banking institutions as well as a security supervisory role in a leading cloud providers data centers for a number of years. He holds and maintains a number of certifications too long to list here but can be found on his LinkedIn and Credly profiles, is an avid learner and usually has at least one course on the go at any given time.
Intereses fuera de trabajo: Whether he’s holding a recurve or compound bow, Rody enjoys some downtime from screens on the archery range. He also enjoys building props from his favorite films and TV series and is an avid fan of Sir Terry Pratchett's works.
Artículos relacionados
Forrester Names Tenable a Leader in the Q3 2025 Unified Vulnerability Management Solutions Wave™ Report
“Tenable continues to extend its established vulnerability management offerings into exposure management with its Tenable One platform,” according to the report....
CVE-2025-53770: Frequently Asked Questions About Zero-Day SharePoint Vulnerability Exploitation
Successful exploitation of CVE-2025-53770 could expose MachineKey configuration details from a vulnerable SharePoint Server, ultimately enabling unauthenticated remote code execution....
CVE-2025-54309: CrushFTP Zero-Day Vulnerability Exploited In The Wild
A critical zero-day flaw in CrushFTP that can grant attackers administrator access was discovered on July 18 and is under active exploitation....
- Vulnerability Management