New Research: Apache Solr Parameter Injection

Apache Solr is an open source enterprise search platform, written in Java, from the Apache Lucene project. Its major features include full-text search, hit highlighting, faceted search, dynamic clustering, and document parsing. You treat it like a database: you run the server, create a collection, and send different types of data to it (such as text, XML documents, PDF documents, etc.). Solr automatically indexes this data and provides a fast but rich REST API interface to search it. The only protocol to talk to the server is HTTP, and yes, it's accessible without authentication by default, which makes it a perfect victim for keen hackers.

In a new research paper, Veracode Security Researcher Michael Stepankin sheds light on this new type of vulnerability for web applications – Solr parameter injection – and explains how cyberattackers can achieve remote code execution through it. Whether the Solr instance is Internet-facing, behind the reverse proxy, or used only by internal web applications, the ability to modify Solr research parameters is a significant security risk. Further, in cases where only a web application that uses Solr is accessible, by exploiting 'Solr (local) Parameters Injection,' it is possible to at least modify or view all the data within the Solr cluster, or even exploit known vulnerabilities to achieve remote code execution.

Read the in-depth, technical whitepaper, “Apache Solr Injection,” on GitHub.