CVE-2024-45216
📋 TL;DR
This CVE describes an authentication bypass vulnerability in Apache Solr's PKIAuthenticationPlugin. Attackers can bypass authentication by appending a fake ending to Solr API URLs, allowing unauthorized access to protected endpoints. This affects Solr instances from version 5.3.0 to 8.11.3 and 9.0.0 to 9.6.0 when authentication is enabled.
💻 Affected Systems
- Apache Solr
📦 What is this software?
Solr by Apache
Solr by Apache
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Solr cluster allowing data exfiltration, data manipulation, denial of service, or lateral movement to connected systems.
Likely Case
Unauthorized access to sensitive data indexed in Solr, configuration changes, or privilege escalation within the Solr environment.
If Mitigated
Limited impact if network segmentation, additional authentication layers, or strict access controls are in place.
🎯 Exploit Status
Exploitation requires knowledge of Solr API endpoints but is straightforward once understood. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.11.4 or 9.7.0
Vendor Advisory: https://solr.apache.org/security.html#cve-2024-45216-apache-solr-authentication-bypass-possible-using-a-fake-url-path-ending
Restart Required: Yes
Instructions:
1. Backup Solr configuration and data. 2. Download Solr 8.11.4 or 9.7.0 from Apache website. 3. Stop Solr service. 4. Replace Solr installation with patched version. 5. Restart Solr service. 6. Verify version and functionality.
🔧 Temporary Workarounds
Disable PKIAuthenticationPlugin
allTemporarily disable the vulnerable authentication plugin if upgrading isn't immediately possible.
Edit security.json to remove PKIAuthenticationPlugin from authentication chain
Network Access Controls
linuxRestrict network access to Solr instances using firewalls or network policies.
iptables -A INPUT -p tcp --dport 8983 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 8983 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to limit access to Solr instances
- Add additional authentication layers (reverse proxy with authentication, VPN, etc.)
🔍 How to Verify
Check if Vulnerable:
Check if Solr version is between 5.3.0-8.11.3 or 9.0.0-9.6.0 and authentication is enabled. Test by appending '/fake' to authenticated API endpoints.Check Version:
curl http://solr-host:8983/solr/admin/info/system | grep solr-spec-versionVerify Fix Applied:
Verify Solr version is 8.11.4 or 9.7.0+ and test authentication bypass attempts fail.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication bypass patterns in Solr logs
- Requests with appended paths like '/fake' in access logs
Network Indicators:
- HTTP requests to Solr with unusual URL patterns containing extra path segments
SIEM Query:
source="solr.log" AND (url="*/*/fake" OR message="*authentication*bypass*")