Vulnerabilities > CVE-2019-0192 - Deserialization of Untrusted Data vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
apache
netapp
CWE-502
critical
nessus

Summary

In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyCGI abuses
    NASL idORACLE_PRIMAVERA_UNIFIER_CPU_JUL_2019.NASL
    descriptionAccording to its self-reported version number, the Oracle Primavera Unifier installation running on the remote web server is 15.x or 16.x prior to 16.2.15.9 or 17.7.x prior to 17.12.11 or 18.x prior to 18.8.11. It is, therefore, affected by multiple vulnerabilities: - A deserialization vulnerability exists in the Apache Solr subcomponent of Primavera Unifier. An unauthenticated, remote attacker can exploit this, via a specially crafted request to the Solr Config API, to execute arbitrary code on the target host. (CVE-2019-0192) - A denial of service (DoS) vulnerability exists in the Apache Tika subcomponent of Primavera Unifier due to incorrect parsing of a crafted sqlite file. An unauthenticated, remote attacker can exploit this issue by convincing a user to open a specially crafted file to cause the application to stop responding. (CVE-2018-17197) - A server side request forgery exists in the Apache Solr subcomponent of Primavera Unifier. An unauthenticated remote attacker can exploit this issue to make Solr perform an HTTP GET request to any reachable URL. (CVE-2017-3164) - A cross-site scripting (XSS) vulnerability exists due to improper validation of user-supplied input before returning it to users. An unauthenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user
    last seen2020-06-01
    modified2020-06-02
    plugin id126829
    published2019-07-19
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126829
    titleOracle Primavera Unifier Multiple Vulnerabilities (Jul 2019 CPU)
  • NASL familyCGI abuses
    NASL idSOLR_7_0_0.NASL
    descriptionThe version of Apache Solr running on the remote web server is affected by a remote code execution vulnerability in the Config API due to unsafe deserialization of Java objects. An unauthenticated, remote attacker can exploit this, via an HTTP POST request that points the JMX server to a malicious RMI server. An attacker could then send a crafted serialized Java object to the server, to execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id123417
    published2019-03-27
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123417
    titleApache Solr 5.x <= 5.5.5 or 6.x <= 6.6.5 Deserialization Vulnerability

Redhat

advisories
rhsa
idRHSA-2019:2413

The Hacker News

idTHN:66694DD5D9C12B2B7881AB6C960E34DC
last seen2019-07-25
modified2019-07-25
published2019-07-25
reporterThe Hacker News
sourcehttps://thehackernews.com/2019/07/linux-malware-windows-bluekeep.html
titleLinux Botnet Adding BlueKeep-Flawed Windows RDP Servers to Its Target List

References