CVE-2021-27905 Overview
CVE-2021-27905 is a Server-Side Request Forgery (SSRF) vulnerability in the Apache Solr ReplicationHandler, normally registered at /replication under a Solr core. The handler accepts a masterUrl parameter (also aliased as leaderUrl) used to designate another ReplicationHandler on a remote Solr core for index replication. Solr failed to validate this parameter against the same allowlist configuration used for the shards parameter. An unauthenticated remote attacker can abuse this gap to coerce the Solr server into issuing arbitrary HTTP requests to internal or external systems. The flaw affects all Apache Solr versions prior to 8.8.2.
Critical Impact
Unauthenticated attackers can leverage the Solr server as a proxy to access internal network services, cloud metadata endpoints, and other restricted resources via crafted masterUrl parameter values.
Affected Products
- Apache Solr versions prior to 8.8.2
- NetApp products bundling vulnerable Apache Solr (see NetApp advisory)
- Apache OFBiz deployments embedding affected Solr components
Discovery Timeline
- 2021-04-13 - CVE-2021-27905 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-27905
Vulnerability Analysis
The vulnerability is a classic Server-Side Request Forgery ([CWE-918]) issue rooted in missing URL allowlist validation. The Solr ReplicationHandler provides index replication between cores by fetching data from a URL specified in the masterUrl or leaderUrl HTTP parameter. Solr already maintained an allowlist mechanism for the shards parameter to prevent inter-cluster SSRF, but this same control was not applied to replication endpoints. As a result, the server processes any attacker-supplied URL and issues an outbound HTTP request from the Solr process context.
Root Cause
The root cause is missing input validation against a configured URL allowlist in the replication code path. The fix in Solr 8.8.2 introduces the same shardsWhitelist style check, now applied to replication URLs, ensuring that only pre-approved hosts can be contacted by the ReplicationHandler.
Attack Vector
An unauthenticated attacker sends an HTTP request to /solr/<core>/replication with command=fetchindex and a masterUrl pointing to an attacker-controlled or internal target. Solr then issues HTTP requests to that URL on behalf of the attacker. This can be used to reach cloud instance metadata services such as http://169.254.169.254/, internal admin panels, or to scan internal networks. Because Solr typically runs as a privileged service on trusted networks, the impact extends to information disclosure and chained exploitation against backend systems.
No verified public proof-of-concept code is referenced in the advisory. See the Apache Announcement Thread for vendor technical details.
Detection Methods for CVE-2021-27905
Indicators of Compromise
- HTTP requests to /solr/*/replication containing command=fetchindex and an external or internal masterUrl / leaderUrl parameter value.
- Outbound connections from the Solr JVM process to cloud metadata addresses such as 169.254.169.254 or to RFC1918 hosts not part of the replication topology.
- Unexpected ReplicationHandler log entries referencing remote hosts outside the configured replica set.
Detection Strategies
- Inspect Solr access logs for the replication endpoint with attacker-controlled URL parameters, focusing on parameter names masterUrl and leaderUrl.
- Correlate Solr process network telemetry against an approved replica allowlist to flag deviations.
- Apply web application firewall (WAF) rules that block /replication requests containing URL-encoded schemes pointing outside known infrastructure.
Monitoring Recommendations
- Forward Solr request logs and host network connections to a centralized analytics platform for correlation with known internal-only addresses.
- Alert on any Solr-originated request to cloud metadata IPs or to hosts not enumerated in shardsWhitelist.
- Track Solr version inventory continuously and flag instances running versions earlier than 8.8.2.
How to Mitigate CVE-2021-27905
Immediate Actions Required
- Upgrade Apache Solr to version 8.8.2 or later on all production and non-production cores.
- Restrict network access to Solr admin and replication endpoints so they are reachable only from trusted management subnets.
- Audit Solr configurations for an explicit shardsWhitelist and confirm replication peers are enumerated.
Patch Information
Apache fixed the SSRF in Solr 8.8.2 by enforcing the existing URL allowlist mechanism on the masterUrl / leaderUrl parameters of the ReplicationHandler. Refer to the Apache Announcement Thread and the NetApp Security Advisory for bundled-product fix versions.
Workarounds
- Place Solr behind a reverse proxy or WAF that blocks external access to /replication and rejects requests containing masterUrl or leaderUrl parameters.
- Apply strict egress filtering on the Solr host to prevent outbound HTTP to cloud metadata endpoints and unrelated internal services.
- Disable the ReplicationHandler on cores that do not require replication by removing or commenting it out in solrconfig.xml.
# Configuration example: enforce replica allowlist in solr.xml
# Restrict ReplicationHandler / shards traffic to known hosts only
<solr>
<str name="shareSchema">${shareSchema:false}</str>
<str name="shardsWhitelist">replica1.internal:8983,replica2.internal:8983</str>
</solr>
# Egress firewall example (iptables) - block cloud metadata access
iptables -A OUTPUT -m owner --uid-owner solr -d 169.254.169.254 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
