Apache Solr affected by XML External Entity attack (CVE-2022-39135)

Apache Solr developers informed users on Tuesday that the product is affected by an XML external entity injection (XXE) attack (CVE-2022-39135). The security researcher Andreas Hubold at CoreMedia GmbH has been credited with reporting this flaw.

Solr is an open-source solution for search and analytics. A fast open-source search platform built on Apache Lucene™, Solr provides scalable indexing and search, as well as faceting, hit highlighting, and advanced analysis/tokenization capabilities. Solr is managed by the Apache Software Foundation.

The flaw (CVSS score 7.3) has been addressed with the release of Apache Solar versions 9.1 and 8.11.3. All previous Solar 6.5 to 8.11.2 versions and version 9.0 are impacted.

“Apache Calcite has a vulnerability, CVE-2022-39135, that is exploitable in Apache Solr in SolrCloud mode. If an untrusted user can supply SQL queries to Solr’s “/sql” handler (even indirectly via proxies / other apps), then the user could perform an XML External Entity (XXE) attack. This might have been exposed by some deployers of Solr in order for internal analysts to use JDBC based tooling, but would have unlikely been granted to wider audiences,” explained Apache Solr developers.

By using specially-crafted XML content, a remote attacker could exploit this vulnerability to read arbitrary files, cause a denial of service, conduct an SSRF attack, or achieve other system impacts.

In this regard, we recommend that users upgrade Solar in time to mitigate potential risks.