CVE-2023-50386 Overview
CVE-2023-50386 is a critical vulnerability in Apache Solr that allows authenticated attackers to achieve remote code execution through the ConfigSets API. The vulnerability stems from improper control of dynamically-managed code resources, allowing malicious Java JAR and class files to be uploaded through the ConfigSets API and subsequently loaded by the Java ClassLoader.
In affected versions of Apache Solr, the ConfigSets API accepts Java jar and class files for upload. When backing up Solr Collections using the default LocalFileSystemRepository, these configSet files are saved to disk. If the backup directory overlaps with directories in Solr's ClassPath or ClassLoaders, the uploaded malicious code becomes available for execution with any ConfigSet, regardless of trust settings.
Critical Impact
Authenticated attackers can upload and execute arbitrary Java code on the Solr server, potentially leading to complete system compromise, data exfiltration, and lateral movement within the network.
Affected Products
- Apache Solr versions 6.0.0 through 8.11.2
- Apache Solr versions 9.0.0 through 9.4.0
- Apache Solr deployments using LocalFileSystemRepository for backups (default configuration)
Discovery Timeline
- 2024-02-09 - CVE-2023-50386 published to NVD
- 2025-04-24 - Last updated in NVD database
Technical Details for CVE-2023-50386
Vulnerability Analysis
This vulnerability combines three distinct weaknesses that create a dangerous attack chain. The root issue involves improper control of dynamically-managed code resources (CWE-434), unrestricted upload of files with dangerous types, and inclusion of functionality from untrusted control spheres.
The attack exploits the interaction between Solr's ConfigSets API file upload functionality and its backup/restore mechanisms. When an authenticated user with ConfigSet modification permissions uploads a malicious JAR or class file, the file is stored within the ConfigSet. Subsequently, when a backup operation is performed using the default LocalFileSystemRepository, these files are written to the filesystem in a location that may be accessible to Java's ClassLoader.
The vulnerability requires low privileges to exploit, as users only need ConfigSet upload permissions. Once the malicious code is placed in a ClassLoader-accessible location, it can be loaded and executed by any ConfigSet, effectively bypassing Solr's trust mechanisms.
Root Cause
The root cause lies in insufficient validation of file types uploaded through the ConfigSets API combined with unsafe backup storage behavior. The ConfigSets API did not restrict uploads of executable Java artifacts (JAR and class files), and the backup functionality could place these files in directories that are part of Solr's ClassLoader path. This creates a path from authenticated file upload to arbitrary code execution.
Attack Vector
The attack leverages network-accessible APIs and requires authentication with ConfigSet modification permissions. The exploitation flow involves:
- An authenticated attacker uploads a malicious JAR or class file via the ConfigSets API
- The attacker triggers a backup operation using the Backup API
- The backup saves ConfigSet files to a directory accessible by Solr's ClassLoader
- The malicious code becomes available to any ConfigSet, trusted or untrusted
- When the malicious class is loaded, arbitrary code executes with Solr's privileges
When Solr is configured with Authorization enabled, the attack is somewhat constrained as it requires existing Backup permissions. However, this still represents an unauthorized extension of capabilities, allowing users with backup permissions to deploy executable libraries.
Detection Methods for CVE-2023-50386
Indicators of Compromise
- Unexpected JAR or class files appearing in Solr ConfigSet directories
- Unusual backup operations targeting ClassPath directories
- New or modified files in Solr's lib directories following ConfigSet API activity
- Unexpected Java class loading events in Solr logs
Detection Strategies
- Monitor ConfigSets API endpoints for uploads of .jar and .class files
- Alert on backup operations that target directories within Solr's ClassPath
- Implement file integrity monitoring on Solr's lib and plugin directories
- Review Solr access logs for unusual ConfigSet modification patterns by authenticated users
Monitoring Recommendations
- Enable detailed audit logging for ConfigSets API operations
- Configure alerts for any file uploads through the ConfigSets API that contain Java executable code
- Monitor filesystem changes in Solr installation directories, particularly lib folders
- Track backup API usage and correlate with ConfigSet modifications
How to Mitigate CVE-2023-50386
Immediate Actions Required
- Upgrade Apache Solr to version 8.11.3 or 9.4.1 immediately
- Review existing ConfigSets for any unauthorized JAR or class files
- Audit backup directories for potentially malicious executable files
- Ensure Solr Authorization is enabled to limit the attack surface
Patch Information
Apache has released fixed versions that implement two key protections:
- Users can no longer upload files to a ConfigSet that could be executed via a Java ClassLoader
- The Backup API restricts saving backups to directories used in the ClassLoader
Upgrade to Apache Solr version 8.11.3 (for 8.x users) or version 9.4.1 (for 9.x users). For detailed security information, refer to the Apache Solr Security Advisory and the OpenWall Security Mailing List.
Workarounds
- Enable Solr Authorization to restrict ConfigSet and Backup API access to trusted administrators only
- Configure backup locations to directories outside of Solr's ClassPath
- Implement network segmentation to limit access to Solr administrative APIs
- Regularly audit ConfigSet contents for unauthorized executable files
# Configuration example - Restrict backup directory to non-ClassPath location
# In solr.xml or via API, ensure backup location is isolated:
# Set backup.location to a directory NOT in Solr's ClassPath
# Example: Verify current ClassPath directories
ps aux | grep solr | grep -oP '(?<=-classpath )[^ ]+'
# Ensure backup directories do not overlap with ClassPath
# Configure backup.location in solrconfig.xml:
# <backup>
# <repository name="local" class="org.apache.solr.core.backup.repository.LocalFileSystemRepository">
# <str name="location">/var/solr/backups</str>
# </repository>
# </backup>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
