CVE-2023-50298 – This vulnerability in Apache Solr allows attack... (How to Fix)

Q: What is the severity of CVE-2023-50298?

CVE-2023-50298 has a CVSS score of 7.5 (HIGH). This vulnerability in Apache Solr allows attackers to steal ZooKeeper credentials and ACLs by tricking Solr into sending them to a malicious server. Attackers can exploit the Streaming Expressions feature by providing a fake ZooKeeper host address, which causes Solr to transmit sensitive authentication information. This affects Apache Solr versions 6.0.0 through 8.11.2 and 9.0.0 before 9.4.1.

📋 TL;DR

This vulnerability in Apache Solr allows attackers to steal ZooKeeper credentials and ACLs by tricking Solr into sending them to a malicious server. Attackers can exploit the Streaming Expressions feature by providing a fake ZooKeeper host address, which causes Solr to transmit sensitive authentication information. This affects Apache Solr versions 6.0.0 through 8.11.2 and 9.0.0 before 9.4.1.

💻 Affected Systems

Products:

Apache Solr

Versions: 6.0.0 through 8.11.2, 9.0.0 before 9.4.1

Operating Systems: All operating systems running affected Solr versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects configurations where ZooKeeper credentials and ACLs are used, and the /streaming endpoint is accessible.

📦 What is this software?

Solr by Apache

View all CVEs affecting Solr →

Solr by Apache

View all CVEs affecting Solr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of ZooKeeper infrastructure leading to data theft, service disruption, or further lateral movement within the environment.

🟠

Likely Case

Exfiltration of ZooKeeper credentials allowing unauthorized access to configuration data and potentially other Solr instances.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external connections to malicious servers.

🌐 Internet-Facing: HIGH - Internet-facing Solr instances with Streaming Expressions enabled are directly exploitable by external attackers.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this to steal credentials and escalate privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only network access to the /streaming endpoint and ability to set up a mock ZooKeeper server.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.11.3 or 9.4.1

Vendor Advisory: https://solr.apache.org/security.html#cve-2023-50298-apache-solr-can-expose-zookeeper-credentials-via-streaming-expressions

Restart Required: Yes

Instructions:

1. Download Apache Solr 8.11.3 or 9.4.1 from the official website. 2. Stop the Solr service. 3. Backup your current Solr installation. 4. Replace with the patched version. 5. Restart the Solr service. 6. Verify the upgrade was successful.

🔧 Temporary Workarounds

Disable Streaming Expressions

all

Remove or restrict access to the /streaming endpoint to prevent exploitation.

Edit solrconfig.xml and remove or comment out the <requestHandler name="/streaming" class="solr.StreamHandler"> section

Network Segmentation

all

Restrict outbound network connections from Solr instances to prevent credential exfiltration.

Configure firewall rules to block Solr instances from making outbound connections to unauthorized ZooKeeper servers

🧯 If You Can't Patch

Implement strict network controls to prevent Solr instances from connecting to external or untrusted ZooKeeper servers
Monitor and audit all connections from Solr instances to ZooKeeper hosts for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check Solr version and verify if Streaming Expressions endpoint is accessible. Test by attempting to connect to a controlled mock ZooKeeper server.

Check Version:

curl http://solr-host:8983/solr/admin/info/system | grep -o '"solr-spec-version":"[^"]*"'

Verify Fix Applied:

After patching, verify Solr version is 8.11.3+ or 9.4.1+. Test that credentials are no longer sent to external ZooKeeper hosts.

📡 Detection & Monitoring

Log Indicators:

Unusual connections to external ZooKeeper servers
Failed authentication attempts from unexpected ZooKeeper hosts
Streaming expression requests with external zkHost parameters

Network Indicators:

Outbound connections from Solr to unknown ZooKeeper servers (port 2181 typically)
Unexpected network traffic to non-standard ZooKeeper ports

SIEM Query:

source="solr.log" AND ("zkHost" OR "/streaming") AND (external_ip OR unknown_host)

📊 Metadata

CVE ID: CVE-2023-50298

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

Published: February 9, 2024

Last Updated: February 13, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2024/02/09/2 Mailing List
http://www.openwall.com/lists/oss-security/2024/02/09/3 Mailing List
https://solr.apache.org/security.html#cve-2023-50298-apache-solr-can-expose-zookeeper-credentials-via-streaming-expressions Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/02/09/2 Mailing List
http://www.openwall.com/lists/oss-security/2024/02/09/3 Mailing List
https://solr.apache.org/security.html#cve-2023-50298-apache-solr-can-expose-zookeeper-credentials-via-streaming-expressions Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-50298, you might also want to check these: