Exposure of Sensitive Information to an Unauthorized Actor vulnerability in
Apache Solr. The Solr Metrics API publishes all unprotected environment
variables available to each Apache Solr instance. Users are able to specify
which environment variables to hide, however, the default list is designed
to work for known secret Java system properties. Environment variables
cannot be strictly defined in Solr, like Java system properties can be, and
may be set for the entire host, unlike Java system properties which are set
per-Java-proccess. The Solr Metrics API is protected by the “metrics-read”
permission. Therefore, Solr Clouds with Authorization setup will only be
vulnerable via users with the “metrics-read” permission. This issue affects
Apache Solr: from 9.0.0 before 9.3.0. Users are recommended to upgrade to
version 9.3.0 or later, in which environment variables are not published
via the Metrics API.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | lucene-solr | < any | UNKNOWN |
ubuntu | 20.04 | noarch | lucene-solr | < any | UNKNOWN |
ubuntu | 22.04 | noarch | lucene-solr | < any | UNKNOWN |
ubuntu | 23.10 | noarch | lucene-solr | < any | UNKNOWN |
ubuntu | 24.04 | noarch | lucene-solr | < any | UNKNOWN |
ubuntu | 14.04 | noarch | lucene-solr | < any | UNKNOWN |
ubuntu | 16.04 | noarch | lucene-solr | < any | UNKNOWN |