EDR: Mitigation for Vulnerability CVE-2019-0192
Article ID: 290715
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Vulnerability [CVE-2019-0192] Deserialization of untrusted data via jmx.serviceUrl reported by Apache Solr in https://issues.apache.org/jira/browse/SOLR-13301
- Impacts versions of Apache SOLR 5.0- 6.6.5, which is not the version being used by supported versions of EDR
Environment
- EDR Server: All Supported Versions
- Linux: All Supported Versions
Cause
From https://issues.apache.org/jira/browse/SOLR-13301:
"ConfigAPI allows to set a jmx.serviceUrl that will create a new JMXConnectorServerFactory and trigger a call with 'bind' operation to a target RMI/LDAP server. A malicious RMI server could respond with arbitrary object that will be deserialized on the Solr side using java's ObjectInputStream, which is considered unsafe. This type of vulnerabilities can be exploited with ysoserial tool. Depending on the target classpath, an attacker can use one of the "gadget chains" to trigger Remote Code Execution on the Solr side."
"ConfigAPI allows to set a jmx.serviceUrl that will create a new JMXConnectorServerFactory and trigger a call with 'bind' operation to a target RMI/LDAP server. A malicious RMI server could respond with arbitrary object that will be deserialized on the Solr side using java's ObjectInputStream, which is considered unsafe. This type of vulnerabilities can be exploited with ysoserial tool. Depending on the target classpath, an attacker can use one of the "gadget chains" to trigger Remote Code Execution on the Solr side."
Resolution
- EDR doesn't use the config API and it has been disabled, fulfilling Apache's recommendation:
- Disable the ConfigAPI if not in use, by running Solr with the system property disable.configEdit=true
- EDR uses only direct access to Solr on the local machine or machines in a Solr cluster.
- Upgrade to a supported version of EDR which doesn't include this version of Solr.
Additional Information
Feedback
Yes
No
Powered by
