Skip to content

Latest commit

 

History

History
58 lines (49 loc) · 4.79 KB

attack-surface.md

File metadata and controls

58 lines (49 loc) · 4.79 KB

Attack Surface Analysis for apache/solr

Attack Surface: Remote Code Execution (RCE) via VelocityResponseWriter

Description: Attackers exploit vulnerabilities in the VelocityResponseWriter to execute arbitrary code on the Solr server. How Solr Contributes: Solr's VelocityResponseWriter allows rendering of templates, which can be manipulated to include malicious code. This is a direct and inherent risk of using this component. Example: An attacker sends a crafted request with a malicious Velocity template that uses Java reflection to execute system commands:

/solr/mycollection/select?q=*:*&wt=velocity&v.template=custom&v.template.custom=#set($x='') #set($rt=$x.class.forName('java.lang.Runtime')) #set($chr=$x.class.forName('java.lang.Character')) #set($str=$x.class.forName('java.lang.String')) #set($ex=$rt.getRuntime().exec('id')) $ex.waitFor() #set($out=$ex.getInputStream()) #foreach($i in [1..$out.available()])$str.valueOf($chr.toChars($out.read()))#end

Impact: Complete server compromise. The attacker gains full control over the Solr server and potentially the underlying operating system. Data theft, data destruction, and lateral movement are all possible. Risk Severity: Critical Mitigation Strategies: * Disable VelocityResponseWriter: This is the most effective mitigation. If it's not absolutely required, disable it entirely in solrconfig.xml. * Disable External Entities: If VelocityResponseWriter must be used, set enableExternalEntities=false in its configuration. * Input Sanitization: Thoroughly sanitize any user-supplied data used within Velocity templates. This is defense-in-depth, not a primary mitigation. * Restrict API Access: Use Solr's authentication/authorization to limit access to the /select endpoint, especially with VelocityResponseWriter.

Attack Surface: Unauthenticated API Access

Description: Attackers can directly interact with the Solr API without needing credentials. How Solr Contributes: Solr's API, if authentication is not enabled or is misconfigured, provides direct access to core functionality. This is a direct risk stemming from how Solr exposes its functionality. Example: An attacker directly accesses /solr/admin/cores to list cores, or uses /solr/mycollection/update to add/modify/delete data without authentication. Impact: Data breaches, data modification/deletion, denial of service, and potential escalation to other vulnerabilities. Risk Severity: High (can be Critical depending on data sensitivity and exposed functionality) Mitigation Strategies: * Enable Authentication: Use Solr's built-in authentication (Basic Authentication, Kerberos, or custom plugin). * Enable Authorization: Define roles and permissions to restrict access to specific API endpoints and collections. Grant only necessary privileges.

Attack Surface: XML External Entity (XXE) Injection

Description: Attackers inject malicious XML with external entity references to read local files or access internal resources. How Solr Contributes: Solr directly processes XML in various contexts (update handlers, configuration, custom request handlers). If XML parsing isn't properly configured, it's directly vulnerable. Example: An attacker sends an update request with a malicious XML payload:

<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>

Impact: Disclosure of sensitive local files, server-side request forgery (SSRF), and potential denial of service. Risk Severity: High Mitigation Strategies: * Disable External Entities: Configure Solr's XML parsers to disable processing of external entities and DTDs (usually in solrconfig.xml). * Use Safe Parsers: If custom XML parsing is needed, use a secure XML parser library configured to prevent XXE. * Input Validation: Validate and sanitize all incoming XML data before processing.

Attack Surface: Config API Manipulation

Description: Attackers with access to Config API can change Solr configuration. How Solr Contributes: Solr directly provides Config API to manage configuration. Example: Attackers can enable VelocityResponseWriter or disable security features. Impact: Attackers can introduce new vulnerabilities or disable security features. Risk Severity: High Mitigation Strategies: * Restrict Access: Use firewall rules to restrict access to the Config API. * Authentication: Use Solr's authentication and authorization mechanisms to control access to the Config API.