CVE-2021-29943 – This vulnerability in Apache Solr's Configurabl... (How to Fix)

Q: What is the severity of CVE-2021-29943?

CVE-2021-29943 has a CVSS score of 9.1 (CRITICAL). This vulnerability in Apache Solr's ConfigurableInternodeAuthHadoopPlugin causes distributed requests to be forwarded using server credentials instead of client credentials, leading to incorrect authorization decisions. Attackers could exploit this to bypass intended access controls and potentially access unauthorized data. Organizations using affected Solr versions with this authentication plugin enabled are at risk.

📋 TL;DR

This vulnerability in Apache Solr's ConfigurableInternodeAuthHadoopPlugin causes distributed requests to be forwarded using server credentials instead of client credentials, leading to incorrect authorization decisions. Attackers could exploit this to bypass intended access controls and potentially access unauthorized data. Organizations using affected Solr versions with this authentication plugin enabled are at risk.

💻 Affected Systems

Products:

Apache Solr

Versions: All versions prior to 8.8.2

Operating Systems: All operating systems running Apache Solr

Default Config Vulnerable: ✅ No

Notes: Only affects systems using ConfigurableInternodeAuthHadoopPlugin for authentication. Default configurations without this plugin are not vulnerable.

📦 What is this software?

Solr by Apache

View all CVEs affecting Solr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete authentication bypass allowing unauthorized access to sensitive indexed data, potentially leading to data exfiltration or manipulation of search results.

🟠

Likely Case

Privilege escalation where users can access data beyond their authorized permissions, violating data segregation policies.

🟢

If Mitigated

Limited impact if proper network segmentation and additional authentication layers are in place, though authorization bypass remains possible.

🌐 Internet-Facing: HIGH - Internet-facing Solr instances with this plugin are directly exploitable by attackers.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts can exploit this to escalate privileges and access unauthorized data.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to a Solr instance with the vulnerable plugin enabled. The vulnerability is in the authentication flow logic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apache Solr 8.8.2 and later

Vendor Advisory: https://lists.apache.org/thread.html/r91dd0ff556e0c9aab4c92852e0e540c59d4633718ce12881558cf44d%40%3Cusers.solr.apache.org%3E

Restart Required: Yes

Instructions:

1. Download Apache Solr 8.8.2 or later from the official Apache website. 2. Backup your current Solr configuration and data. 3. Stop the Solr service. 4. Replace the Solr installation with the patched version. 5. Restore your configuration and data. 6. Start the Solr service.

🔧 Temporary Workarounds

Disable ConfigurableInternodeAuthHadoopPlugin

all

Remove or disable the vulnerable authentication plugin if not required for your deployment.

Edit solrconfig.xml and remove or comment out ConfigurableInternodeAuthHadoopPlugin configuration
Restart Solr service

Network Segmentation

all

Isolate Solr clusters to prevent unauthorized network access to distributed nodes.

Configure firewall rules to restrict Solr node communication to authorized hosts only

🧯 If You Can't Patch

Implement strict network access controls to limit which systems can communicate with Solr nodes
Enable additional authentication/authorization layers and audit all access to Solr

🔍 How to Verify

Check if Vulnerable:

Check if ConfigurableInternodeAuthHadoopPlugin is configured in solrconfig.xml and verify Solr version is below 8.8.2.

Check Version:

curl http://solr-host:8983/solr/admin/info/system | grep -o '"solr-spec-version":"[^"]*"'

Verify Fix Applied:

Confirm Solr version is 8.8.2 or higher and verify the plugin configuration if still in use.

📡 Detection & Monitoring

Log Indicators:

Unexpected authorization failures or successes in Solr audit logs
Authentication events showing server credentials being used for client requests

Network Indicators:

Unusual patterns in distributed Solr node communications
Requests bypassing expected authentication flows

SIEM Query:

source="solr.log" AND ("authorization failure" OR "authentication bypass" OR "ConfigurableInternodeAuthHadoopPlugin")

📊 Metadata

CVE ID: CVE-2021-29943

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-863

Published: April 13, 2021

Last Updated: November 21, 2024

🔗 References

https://lists.apache.org/thread.html/r91dd0ff556e0c9aab4c92852e0e540c59d4633718ce12881558cf44d%40%3Cusers.solr.apache.org%3E Mailing List,Vendor Advisory
https://security.netapp.com/advisory/ntap-20210604-0009/ Third Party Advisory
https://lists.apache.org/thread.html/r91dd0ff556e0c9aab4c92852e0e540c59d4633718ce12881558cf44d%40%3Cusers.solr.apache.org%3E Mailing List,Vendor Advisory
https://security.netapp.com/advisory/ntap-20210604-0009/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29943, you might also want to check these: