Security researchers have recently found a relative path traversal vulnerability (also known as "zipslip") in Apache Solr software, which can be exploited by malicious actors to perform arbitrary write-access to affected file paths. Affected versions of Apache Solr include 6.6 through 9.7.. In light of this discovery, users are urged to take necessary precautions and upgrade their instances to the Apache Solr version 9.8. or above, which contains a patch for the vulnerability. In this post, we will elaborate on the exploit details, relevant code snippets, and links to original references for better understanding.
Exploit Details
The vulnerability exists due to insufficient input validation in the "configset upload" API of Apache Solr when running on Windows systems. Attackers can create specially-crafted ZIP files containing relative file paths that allow them to access and modify unintended parts of the filesystem.
Here is an example of a malicious ZIP entry with a relative file path
# Malicious entry in a ZIP archive
entry.filename = "../../../outside_folder/evil_file"
An attacker can craft a ZIP file with a path traversal payload, like the one shown above, and send it through a request to the vulnerable API. The lack of input validation allows the ZIP file to be accepted, and the relative file path can cause the "evil_file" to be written to an unintended location in the filesystem.
Original References
For more information on this vulnerability, including a detailed explanation and proposed solutions, here are some relevant links:
1. CVE-2024-52012 Official Alert
2. Apache Solr Official Documentation
3. Snyk's ZipSlip Vulnerability Guide
4. Rule-Based Authentication Plugin for Solr
Mitigation
As already mentioned, users must upgrade their Apache Solr instances to version 9.8. or above to fix this vulnerability. If upgrading is not an immediate option, users can protect their Solr instances by employing the "Rule-Based Authentication Plugin". This plugin enables administrators to limit access to the "configset upload" API only to a trusted set of users, effectively minimizing the risk of exploitation. The following link provides more information on setting up rule-based authentication in Solr: Configuring Rule-Based Authorization in Solr
In conclusion, CVE-2024-52012 has exposed a critical relative path traversal vulnerability in Apache Solr. Users must take immediate action to either upgrade to a more secure version or implement rule-based authentication to prevent potential exploitation by malicious actors. Always stay updated and informed about the latest security advisories to protect your systems and data.
Timeline
Published on: 01/27/2025 09:15:14 UTC
Last modified on: 02/06/2025 17:15:19 UTC