CVE-2023-50291

Apache Solr: System Property redaction logic inconsistency can lead to leaked passwords

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Insufficiently Protected Credentials vulnerability in Apache Solr.

This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0.
One of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had "password" contained in the name.
There are a number of sensitive system properties, such as "basicauth" and "aws.secretKey" do not contain "password", thus their values were published via the "/admin/info/properties" endpoint.
This endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.

This /admin/info/properties endpoint is protected under the "config-read" permission.
Therefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the "config-read" permission.
Users are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue.
A single option now controls hiding Java system property for all endpoints, "-Dsolr.hiddenSysProps".
By default all known sensitive properties are hidden (including "-Dbasicauth"), as well as any property with a name containing "secret" or "password".

Users who cannot upgrade can also use the following Java system property to fix the issue:
'-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*'

Vulnerabilidad de credenciales insuficientemente protegidas en Apache Solr. Este problema afecta a Apache Solr: desde 6.0.0 hasta 8.11.2, desde 9.0.0 antes de 9.3.0. Uno de los dos endpoints que publica las propiedades del sistema Java del proceso Solr, /admin/info/properties, solo se configuró para ocultar las propiedades del sistema que tenían "password" en el nombre. Hay una serie de propiedades confidenciales del sistema, como "basicauth" y "aws.secretKey" que no contienen "password", por lo que sus valores se publicaron a través del endpoint "/admin/info/properties". Este endpoint completa la lista de System Properties en la pantalla de inicio de la página de administración de Solr, lo que hace que las credenciales expuestas sean visibles en la interfaz de usuario. Este endpoint /admin/info/properties está protegido bajo el permiso "config-read". Por lo tanto, las nubes Solr con autorización habilitada solo serán vulnerables a través de usuarios registrados que tengan el permiso "config-read". Se recomienda a los usuarios actualizar a la versión 9.3.0 u 8.11.3, que soluciona el problema. Una única opción ahora controla la ocultación de la propiedad del sistema Java para todos los endpoints, "-Dsolr.hiddenSysProps". De forma predeterminada, todas las propiedades confidenciales conocidas están ocultas (incluido "-Dbasicauth"), así como cualquier propiedad cuyo nombre contenga "secret" o "password". Los usuarios que no pueden actualizar también pueden utilizar la siguiente propiedad del sistema Java para solucionar el problema: '-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*'

*Credits: Michael Taggart

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-12-06 CVE Reserved
2024-02-09 CVE Published
2024-03-13 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-522: Insufficiently Protected Credentials

CAPEC

References (2)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/02/09/4	Mailing List

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies	2024-02-15

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Solr Search vendor "Apache" for product "Solr"				>= 6.0.0 < 8.11.3 Search vendor "Apache" for product "Solr" and version " >= 6.0.0 < 8.11.3"		-		Affected
Apache Search vendor "Apache"		Solr Search vendor "Apache" for product "Solr"				>= 9.0.0 < 9.3.0 Search vendor "Apache" for product "Solr" and version " >= 9.0.0 < 9.3.0"		-		Affected