CB EDR: How to remediate for CVE-2022-39135 against on-prem server/cluster
search cancel

CB EDR: How to remediate for CVE-2022-39135 against on-prem server/cluster

book

Article ID: 285341

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Remediate CVE-2022-39135 (https://solr.apache.org/security.html#apache-solr-is-vulnerable-to-cve-2022-39135-via-sql-handler) against a on-prem EDR server/cluster
  • CVE-2022-39135 impacts underlying bundled Solr database, exposed via /sql handler.  

Environment

  • EDR Server/Cluster:  All supported versions

Resolution

  1. Stop the cluster/server
  2. Navigate to /etc/cb/solr/core_conf/cbalerts on master  (and minion nodes in case of cluster)
  3. edit the solrconfig.xml.template file and locate the first "requestHandler" entry, and inserting the following above it:
<requestHandler name="/sql" class="solr.NotFoundRequestHandler"/>
  1. Repeat step 3 for solrconfig.xml.template in the following additional directories (on master and minion nodes, update 6 files/locations on each node)
/etc/cb/solr/core_conf/cbfeeds/conf/solrconfig.xml.template
/etc/cb/solr/core_conf/cbmodules/conf/solrconfig.xml.template 
/etc/cb/solr/core_conf/configsets/cbevents_v2/conf/solrconfig.xml.template
/etc/cb/solr/core_conf/configsets/cbevents_v1/conf/solrconfig.xml.template
/etc/cb/solr/core_conf/configsets/cbevents_v0/conf/solrconfig.xml.template
  1. Start the server/cluster

Additional Information

  • By default, our installers configure Solr in "standard mode", which is not impacted by CVE-2022-39135.  
  • Be careful and DO NOT edit the solr.xml.template placed at root solr location i.e /etc/cb/solr, add the line only in individual folders' solrconfig.xml.template.  Note that these files are different names:  solr.xml.template vs solrconfig.xml.template.  Only solrconfig.xml.template should be updated.
  • By default, Solr will only forward requests to /sql handlers if Solr is in "CloudMode", otherwise the following message is presented regardless of remediation steps (and CVE-2022-39135 cannot be exploited), and Solr is not configured in cloud mode by our installers:
"EXCEPTION":"/sql handler only works in Solr Cloud mode",