CVE-2020-13957 Overview
CVE-2020-13957 is a critical authorization bypass vulnerability in Apache Solr that allows unauthenticated attackers to configure dangerous features through the ConfigSet API, ultimately enabling remote code execution. The vulnerability exists because security checks designed to prevent the configuration of dangerous features via unauthenticated API uploads can be circumvented through a specific combination of UPLOAD and CREATE actions.
Apache Solr implements safeguards to prevent certain dangerous configurations from being uploaded via the ConfigSet API without proper authentication. However, attackers discovered that by chaining UPLOAD and CREATE actions together, these protective checks can be bypassed entirely, allowing the injection of malicious configurations that can lead to arbitrary code execution on the affected server.
Critical Impact
This vulnerability allows unauthenticated remote attackers to achieve code execution on Apache Solr servers by bypassing security controls on ConfigSet uploads, potentially leading to complete system compromise.
Affected Products
- Apache Solr versions 6.6.0 to 6.6.6
- Apache Solr versions 7.0.0 to 7.7.3
- Apache Solr versions 8.0.0 to 8.6.2
Discovery Timeline
- October 13, 2020 - CVE-2020-13957 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2020-13957
Vulnerability Analysis
This vulnerability is classified as CWE-863 (Incorrect Authorization), where the application fails to properly enforce authorization checks for ConfigSet operations. Apache Solr includes functionality to prevent dangerous configurations from being uploaded through the API without proper authentication. These dangerous features could include scripting capabilities, external entity references, or other mechanisms that could be leveraged for code execution.
The flaw lies in the implementation of these security checks. While individual UPLOAD or CREATE actions may be properly validated, the combination of these actions in a specific sequence allows an attacker to circumvent the validation logic entirely. This represents a classic case of a multi-step authorization bypass where the system fails to maintain security invariants across chained operations.
The vulnerability is particularly severe because Apache Solr is often deployed as an internet-facing search service, and the ConfigSet API may be accessible without authentication in default or misconfigured deployments. An attacker who successfully exploits this vulnerability can upload arbitrary configurations that enable remote code execution capabilities.
Root Cause
The root cause of CVE-2020-13957 is improper authorization logic in the ConfigSet API handler. The security checks implemented to prevent dangerous configurations are not consistently applied across different API action combinations. Specifically, when an attacker uses a combination of UPLOAD and CREATE actions, the authorization checks fail to recognize that the resulting configuration contains dangerous features that should have been blocked.
This represents an authorization bypass where the individual actions may pass validation, but their combined effect circumvents the intended security controls. The application architecture assumed that checking each action independently would be sufficient, but failed to account for the emergent security implications of action chaining.
Attack Vector
The attack vector for CVE-2020-13957 involves network-based exploitation of the Apache Solr ConfigSet API. An attacker can exploit this vulnerability remotely without any authentication requirements or user interaction.
The attack flow typically involves:
- The attacker identifies an Apache Solr instance with an accessible ConfigSet API endpoint
- The attacker crafts a malicious configuration containing dangerous features (such as script execution capabilities)
- Using a combination of UPLOAD and CREATE API actions, the attacker uploads the malicious configuration, bypassing security checks
- Once the malicious ConfigSet is in place, the attacker can trigger code execution through the configured dangerous features
This vulnerability requires no privileges and can be exploited with low complexity, making it highly attractive to attackers targeting exposed Solr instances.
Detection Methods for CVE-2020-13957
Indicators of Compromise
- Unusual or unauthorized ConfigSet uploads appearing in Solr logs, particularly those combining UPLOAD and CREATE actions
- New or modified ConfigSets that contain suspicious configuration elements such as script handlers or external entity references
- Unexpected network connections originating from Solr processes to external systems
- Evidence of code execution or shell commands being run under the Solr service account
Detection Strategies
- Monitor Apache Solr audit logs for ConfigSet API requests, especially sequences involving both UPLOAD and CREATE actions
- Implement network intrusion detection rules to identify suspicious payloads in HTTP requests to the /solr/admin/configs endpoint
- Deploy file integrity monitoring on Solr configuration directories to detect unauthorized ConfigSet modifications
- Use application-layer firewalls to inspect and filter potentially malicious ConfigSet API requests
Monitoring Recommendations
- Enable comprehensive audit logging for all Apache Solr administrative API endpoints
- Configure alerts for any ConfigSet modifications performed without proper authentication
- Implement real-time monitoring of Solr process behavior for signs of post-exploitation activity such as unexpected child processes or network connections
- Review Solr access logs regularly for anomalous patterns in API usage
How to Mitigate CVE-2020-13957
Immediate Actions Required
- Upgrade Apache Solr to a patched version immediately: version 6.6.7 or later for 6.x, version 7.7.4 or later for 7.x, or version 8.6.3 or later for 8.x
- Restrict network access to the Solr ConfigSet API to trusted administrative hosts only
- Enable authentication and authorization for all Solr administrative APIs
- Review existing ConfigSets for any unauthorized or suspicious configurations
Patch Information
Apache has released security patches addressing CVE-2020-13957 in updated versions of Solr. Organizations should upgrade to the following minimum versions:
- Solr 6.x: Upgrade to version 6.6.7 or later
- Solr 7.x: Upgrade to version 7.7.4 or later
- Solr 8.x: Upgrade to version 8.6.3 or later
For detailed patch information, refer to the Apache Announce Mailing List. Additional information is available in the NetApp Security Advisory NTAP-20201023-0002.
Workarounds
- Implement network-level access controls to restrict access to Solr administrative APIs from untrusted networks
- Configure a reverse proxy or web application firewall in front of Solr to filter requests to sensitive API endpoints
- Enable Solr authentication and authorization using the built-in security plugins if upgrading is not immediately possible
- Disable the ConfigSet API entirely if it is not required for your deployment
# Example: Restrict Solr admin API access using iptables
# Allow only trusted admin network to access Solr admin port
iptables -A INPUT -p tcp --dport 8983 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8983 -j DROP
# Example: Enable Solr authentication in security.json
# Place this file in your Solr ZooKeeper configuration
# {
# "authentication": {
# "class": "solr.BasicAuthPlugin",
# "credentials": {"admin": "hash_of_password"}
# },
# "authorization": {
# "class": "solr.RuleBasedAuthorizationPlugin"
# }
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
