CVE-2019-17558
Published: 30 December 2019
Summary
CVE-2019-17558 is a high-severity Injection (CWE-74) vulnerability in Oracle Primavera Unifier. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-5 (Access Restrictions for Change).
Deeper analysis
Apache Solr versions 5.0.0 through 8.3.1 contain a remote code execution vulnerability in the VelocityResponseWriter component. The issue stems from the ability to supply Velocity templates either via a user-controlled configset in the velocity/ directory or through request parameters when the params.resource.loader.enabled setting is activated on a custom response writer. Because these templates are rendered without sufficient sandboxing, an attacker-supplied template can execute arbitrary code on the Solr server. The CVSS 7.5 score reflects the high impact on confidentiality, integrity, and availability when the flaw is successfully triggered.
Exploitation requires an attacker to either upload a malicious configset or obtain access to the Solr configuration API in order to define a response writer with the parameter resource loader enabled. Once a template containing executable directives is rendered, the attacker can achieve full remote code execution under the privileges of the Solr process. The attack complexity is rated high because parameter-based templates are disabled by default and configset uploads typically require authentication.
Advisories and the Solr 8.4 release notes state that the params resource loader has been removed entirely. Configset-provided Velocity templates are now rendered only when the configset is marked trusted, which occurs solely for uploads performed by authenticated users. Security practitioners are advised to upgrade to Solr 8.4 or later and to restrict configuration API access to trusted administrators.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-0320
Vulnerability details
Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset `velocity/` directory or as a parameter. A user defined configset could…
more
contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting `params.resource.loader.enabled` by defining a response writer with that setting set to `true`. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is `trusted` (has been uploaded by an authenticated user).
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces access control on the Solr configuration API and configset uploads so that only authorized users can define response writers or supply velocity/ templates.
Restricts the ability to perform configuration changes (response-writer definitions, configset uploads) that would enable the params.resource.loader or malicious Velocity templates.
Requires timely application of the Solr 8.4+ patch that removes the params resource loader and restricts template rendering to trusted (authenticated) configsets.