CVE-2019-0192

Name of the Vulnerable Software and Affected Versions Apache Solr versions 5.0.0 through 5.5.5 Apache Solr versions 6.0.0 through 6.6.5

Description The issue is related to the Config API in Apache Solr, which allows configuration of the JMX server via an HTTP POST request. This can be exploited by pointing it to a malicious RMI server, taking advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side. The vulnerability is associated with the deserialization of untrusted data, which can allow a remote attacker to execute arbitrary code on the Solr side using an HTTP POST request.

Recommendations For Apache Solr versions 5.0.0 through 5.5.5, update to a version outside of this range to mitigate the risk. For Apache Solr versions 6.0.0 through 6.6.5, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the Config API to minimize the risk of exploitation. Avoid using the Config API to configure the JMX server via an HTTP POST request until the issue is resolved.