CVE-2021-27905 – CVE-2021-27905 is a Server-Side Request Forgery... (How to Fix)

Q: What is the severity of CVE-2021-27905?

CVE-2021-27905 has a CVSS score of 9.8 (CRITICAL). CVE-2021-27905 is a Server-Side Request Forgery (SSRF) vulnerability in Apache Solr's ReplicationHandler that allows attackers to make arbitrary HTTP requests from the Solr server. This can lead to internal network reconnaissance, data exfiltration, or chaining with other vulnerabilities. All Apache Solr versions before 8.8.2 are affected.

📋 TL;DR

CVE-2021-27905 is a Server-Side Request Forgery (SSRF) vulnerability in Apache Solr's ReplicationHandler that allows attackers to make arbitrary HTTP requests from the Solr server. This can lead to internal network reconnaissance, data exfiltration, or chaining with other vulnerabilities. All Apache Solr versions before 8.8.2 are affected.

💻 Affected Systems

Products:

Apache Solr

Versions: All versions prior to 8.8.2

Operating Systems: All operating systems running Apache Solr

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the ReplicationHandler endpoint at /replication. Requires the ReplicationHandler to be enabled, which is common in production deployments.

📦 What is this software?

Solr by Apache

View all CVEs affecting Solr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of the Solr server leading to internal network pivoting, data theft, and potential remote code execution through chained vulnerabilities.

🟠

Likely Case

Internal network reconnaissance, data exfiltration from internal services, and potential denial of service through resource exhaustion.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent the Solr server from reaching sensitive internal resources.

🌐 Internet-Facing: HIGH - Internet-facing Solr instances can be directly exploited by external attackers without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this to pivot within the network, but requires initial access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted requests to the ReplicationHandler endpoint. No authentication is required by default.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.8.2

Vendor Advisory: https://lists.apache.org/thread.html/r0ddc3a82bd7523b1453cb7a5e09eb5559517145425074a42eb326b10%40%3Cannounce.apache.org%3E

Restart Required: Yes

Instructions:

1. Download Apache Solr 8.8.2 or later from the official website. 2. Backup your current Solr installation and data. 3. Stop the Solr service. 4. Replace the Solr installation with the patched version. 5. Restart the Solr service. 6. Verify the version is 8.8.2 or higher.

🔧 Temporary Workarounds

Disable ReplicationHandler

all

Remove or disable the ReplicationHandler endpoint if not required for your deployment.

Edit solrconfig.xml and remove or comment out the <requestHandler name="/replication" class="solr.ReplicationHandler" /> section

Network Access Control

linux

Restrict network access to the Solr ReplicationHandler endpoint using firewall rules.

iptables -A INPUT -p tcp --dport 8983 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 8983 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to prevent the Solr server from accessing sensitive internal resources.
Deploy a web application firewall (WAF) with SSRF protection rules to block malicious requests.

🔍 How to Verify

Check if Vulnerable:

Check if Solr version is below 8.8.2 and if the ReplicationHandler endpoint is accessible at /solr/core_name/replication.

Check Version:

curl http://solr_host:8983/solr/admin/info/system | grep -o '"solr-spec-version":"[^"]*"'

Verify Fix Applied:

Verify Solr version is 8.8.2 or higher and test that SSRF attempts via the masterUrl parameter are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to /replication endpoint with external URLs in parameters
HTTP requests originating from Solr server to unexpected internal services

Network Indicators:

Outbound HTTP requests from Solr server to internal IP ranges not typically accessed
Traffic patterns suggesting port scanning from the Solr server

SIEM Query:

source="solr.log" AND (url="/replication" AND (param="masterUrl" OR param="leaderUrl")) AND NOT dest_ip IN allowed_ips

📊 Metadata

CVE ID: CVE-2021-27905

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-918

Published: April 13, 2021

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27905, you might also want to check these: