Apache Solr 8.11, 8.20 have unauthenticated JMX server enabled in default config

The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr. If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.

Recent assessments:

busterb at November 20, 2019 4:00am UTC reported:

This configuration issue could really affect any version, since it’s just someone having left the debug option on in the default config.
Metasploit has had a general scanner for this misconfiguration since 2012 in auxiliary/scanner/misc/java_rmi_server and 2011 in modules/exploits/multi/misc/java_rmi_server. Just noticed <https://github.com/rapid7/metasploit-framework/pull/12565&gt; which might be useful as well.

Shodan only shows maybe one host on the internet exposing this port in something that could plausibly look like JMX. The next great internet work this will not be: <https://www.shodan.io/search?query=port%3A18983&gt;

I’m giving this a high attacker utility but also a low urgency to patch, because the patch is almost irrelevant here. If you’re using the default solr config, your solr install probably doesn’t work anyway! The patch isn’t really required to fix this configuration bug, and you could be vulnerable with or without updating to a newer version. Even if you patch, if you have the a bad config, it’s not necessarily going to auto-update either. Any authenticated vuln scan is probably going to produce misleading results about whether you’re actually vulnerable or not, unless it checks your config file. Doing a remote scan is much better.

The mitigation is really just making sure you don’t deploy a config that leaves unauth RMI servers on a network, but nothing really stops you from shooting yourself in the foot either. Note that Solr’s own docs tell you how to enable this bit, but also it says to not use it in production. <https://lucene.apache.org/solr/guide/7_0/using-jmx-with-solr.html&gt;

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5