Vulnerabilities > CVE-2019-0192 - Deserialization of Untrusted Data vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family CGI abuses NASL id ORACLE_PRIMAVERA_UNIFIER_CPU_JUL_2019.NASL description According to its self-reported version number, the Oracle Primavera Unifier installation running on the remote web server is 15.x or 16.x prior to 16.2.15.9 or 17.7.x prior to 17.12.11 or 18.x prior to 18.8.11. It is, therefore, affected by multiple vulnerabilities: - A deserialization vulnerability exists in the Apache Solr subcomponent of Primavera Unifier. An unauthenticated, remote attacker can exploit this, via a specially crafted request to the Solr Config API, to execute arbitrary code on the target host. (CVE-2019-0192) - A denial of service (DoS) vulnerability exists in the Apache Tika subcomponent of Primavera Unifier due to incorrect parsing of a crafted sqlite file. An unauthenticated, remote attacker can exploit this issue by convincing a user to open a specially crafted file to cause the application to stop responding. (CVE-2018-17197) - A server side request forgery exists in the Apache Solr subcomponent of Primavera Unifier. An unauthenticated remote attacker can exploit this issue to make Solr perform an HTTP GET request to any reachable URL. (CVE-2017-3164) - A cross-site scripting (XSS) vulnerability exists due to improper validation of user-supplied input before returning it to users. An unauthenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user last seen 2020-06-01 modified 2020-06-02 plugin id 126829 published 2019-07-19 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126829 title Oracle Primavera Unifier Multiple Vulnerabilities (Jul 2019 CPU) NASL family CGI abuses NASL id SOLR_7_0_0.NASL description The version of Apache Solr running on the remote web server is affected by a remote code execution vulnerability in the Config API due to unsafe deserialization of Java objects. An unauthenticated, remote attacker can exploit this, via an HTTP POST request that points the JMX server to a malicious RMI server. An attacker could then send a crafted serialized Java object to the server, to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 123417 published 2019-03-27 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123417 title Apache Solr 5.x <= 5.5.5 or 6.x <= 6.6.5 Deserialization Vulnerability
Redhat
advisories |
|
The Hacker News
id | THN:66694DD5D9C12B2B7881AB6C960E34DC |
last seen | 2019-07-25 |
modified | 2019-07-25 |
published | 2019-07-25 |
reporter | The Hacker News |
source | https://thehackernews.com/2019/07/linux-malware-windows-bluekeep.html |
title | Linux Botnet Adding BlueKeep-Flawed Windows RDP Servers to Its Target List |
References
- http://mail-archives.us.apache.org/mod_mbox/www-announce/201903.mbox/%3CCAECwjAV1buZwg%2BMcV9EAQ19MeAWztPVJYD4zGK8kQdADFYij1w%40mail.gmail.com%3E
- http://www.securityfocus.com/bid/107318
- https://security.netapp.com/advisory/ntap-20190327-0003/
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://access.redhat.com/errata/RHSA-2019:2413
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.apache.org/thread.html/b0ace855f569c6b7a0b03ba68566e53b1a1a519abd536bf38978ce4a%40%3Cdev.lucene.apache.org%3E
- https://lists.apache.org/thread.html/42c5682f4acd1d03bd963e4f47ae448d7cff66c16b19142773818892%40%3Cdev.lucene.apache.org%3E
- https://lists.apache.org/thread.html/d0e608c681dfbb16b4da68d99d43fa0ddbd366bb3bcf5bc0d43c56d7%40%3Cdev.lucene.apache.org%3E
- https://lists.apache.org/thread.html/ec9c572fb803b26ba0318777977ee6d6a2fb3a2c50d9b4224e541d5d%40%3Cdev.lucene.apache.org%3E
- https://lists.apache.org/thread.html/53e4744b14fb7f1810405f8ff5531ab0953a23dd09ce8071ce87e00d%40%3Cdev.lucene.apache.org%3E
- https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/rc400db37710ee79378b6c52de3640493ff538c2beb41cefdbbdf2ab8%40%3Ccommits.submarine.apache.org%3E