CVE-2021-44548 – This vulnerability in Apache Solr's DataImportH... (How to Fix)

Q: What is the severity of CVE-2021-44548?

CVE-2021-44548 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Apache Solr's DataImportHandler allows attackers to make SMB network calls from the Solr host to other systems by providing Windows UNC paths. This can lead to credential theft via NTLM hash capture or potentially remote code execution through SMB relay attacks. Only affects Windows systems running Apache Solr versions prior to 8.11.1.

📋 TL;DR

This vulnerability in Apache Solr's DataImportHandler allows attackers to make SMB network calls from the Solr host to other systems by providing Windows UNC paths. This can lead to credential theft via NTLM hash capture or potentially remote code execution through SMB relay attacks. Only affects Windows systems running Apache Solr versions prior to 8.11.1.

💻 Affected Systems

Products:

Apache Solr

Versions: All versions prior to 8.11.1

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows systems; DataImportHandler must be enabled/accessible.

📦 What is this software?

Solr by Apache

View all CVEs affecting Solr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution through SMB relay attacks leading to full system compromise of the Solr host or other systems on the network.

🟠

Likely Case

Credential theft via NTLM hash capture, enabling lateral movement within the network and potential privilege escalation.

🟢

If Mitigated

Limited to information disclosure if SMB signing is enforced and network segmentation prevents access to critical systems.

🌐 Internet-Facing: HIGH - Internet-facing Solr instances on Windows are directly exploitable without authentication.

🏢 Internal Only: HIGH - Internal systems remain vulnerable to authenticated attackers or compromised internal hosts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to Solr instance and ability to trigger DataImportHandler with malicious UNC path.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apache Solr 8.11.1 and later

Vendor Advisory: https://solr.apache.org/security.html#cve-2021-44548-apache-solr-information-disclosure-vulnerability-through-dataimporthandler

Restart Required: Yes

Instructions:

1. Download Apache Solr 8.11.1 or later from official site. 2. Backup current configuration and data. 3. Stop Solr service. 4. Replace with patched version. 5. Restart Solr service.

🔧 Temporary Workarounds

Disable DataImportHandler

all

Remove or disable DataImportHandler if not required

Remove DataImportHandler configuration from solrconfig.xml or set enabled="false"

Network Segmentation

windows

Restrict outbound SMB traffic from Solr hosts

Windows Firewall: New-OutboundFirewallRule -DisplayName "Block Solr SMB" -Direction Outbound -Protocol TCP -RemotePort 445 -Action Block

🧯 If You Can't Patch

Enforce SMB signing on all Windows systems to prevent relay attacks
Implement strict network segmentation to isolate Solr hosts from critical systems

🔍 How to Verify

Check if Vulnerable:

Check Solr version and OS: version < 8.11.1 AND OS = Windows AND DataImportHandler accessible

Check Version:

solr version (from command line) or check Solr admin UI

Verify Fix Applied:

Confirm Solr version is 8.11.1 or later and test DataImportHandler with UNC paths returns error

📡 Detection & Monitoring

Log Indicators:

UNC path patterns in Solr logs (\\server\share)
DataImportHandler requests with unusual file paths
Failed SMB connection attempts from Solr host

Network Indicators:

Unexpected SMB traffic originating from Solr hosts to internal systems
NTLM authentication attempts from Solr to unexpected targets

SIEM Query:

source="solr.log" AND ("UNC" OR "\\\\" OR "DataImportHandler")

📊 Metadata

CVE ID: CVE-2021-44548

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: December 23, 2021

Last Updated: November 21, 2024

🔗 References

https://security.netapp.com/advisory/ntap-20220114-0005/ Third Party Advisory
https://solr.apache.org/security.html#cve-2021-44548-apache-solr-information-disclosure-vulnerability-through-dataimporthandler Vendor Advisory
https://security.netapp.com/advisory/ntap-20220114-0005/ Third Party Advisory
https://solr.apache.org/security.html#cve-2021-44548-apache-solr-information-disclosure-vulnerability-through-dataimporthandler Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44548, you might also want to check these: