ColdFusion 9 Solr Vulnerability - Are you at Risk?

January 29, 2010
coldfusion

Adobe just released a security bulletin APSB10-04 for ColdFusion 9. If you have the Solr Search Service running on a ColdFusion 9 server it binds the Solr Web Service to port 8983 on all IP addresses. Adobe has also released a Technote describing how to fix the issue.

Is your CF9 Server at Risk?

I've updated my ColdFusion Security Scanner: hackmycf.com to test for this issue. So you can just head over there and type in your domain / email to find out.

Adobe has classified this issue as Important not Critical, but if you are using the CF9 solr service to index sensitive data, it could very well be a critical issue for you to resolve. Also if any vulnerabilities are discovered in the Solr web service itself it may become critical. I am sure a denial of service attack would be pretty easy to perform given the tools the Solr Service exposes.

It also exposes a lot of system information, all the java system properties can be exposed by visiting: http://localhost:8983/solr/data_medialibrary/admin/get-properties.jsp, which exposes things such as:

  • Operating System
  • Operating System Patch Level
  • ColdFusion Installation Paths
  • Java Version Info
  • Etc.

The good news is that if you have a network firewall in place, your firewall should be blocking requests for this port.

Given all you can do with this service, I would strongly recommend you do the following:

  • Make sure your firewall blocks port 8983
  • Disable the Solr Search Service if you are not using it.
  • Follow the instructions in the technote to limit access to localhost.

| Add Comment | add to del.icio.us | Tags: , ,

Related Entries

This entry was:

 Download FuseGuard WAF for ColdFusion

Trackbacks

Trackback Address: 738/A8F2059DF8841E6272314A1CCFB28C98

Comments

On 02/10/2010 at 2:38:10 PM EST Justin wrote:
1
Pete, Thanks for the info. We're running CF6.2 in my environment. After scanning the available services at the server, I don't see a SOLR Search Service as an option. Was the SOLR Service available in version 6.2? I'm not a ColdFusion Professional, so please excuse the elementary question. Please let me know at your earliest convenience, as I'm trying to identify whether the patch for the web service will apply to my environment.

Thanks in Advance, Justin

On 02/10/2010 at 2:43:19 PM EST Pete Freitag wrote:
2
Hi Justin,

The Solr Search Service was added in ColdFusion version 9.0, so you do not need to worry about this for CF 1-8

On 03/30/2011 at 6:53:12 AM EDT Ciaran Archer wrote:
3
Hi Pete

I am running CF Enterprise 9,0,1,274733 and planning to use Solr. I noticed that the line in the technote regarding the host restriction is in place and not commented out:

<Call name="addConnector"> <Arg> <New class="org.mortbay.jetty.bio.SocketConnector"> <Set name="Host">127.0.0.1</Set> <Set name="port"><SystemProperty name="jetty.port" default="8983"/></Set> <Set name="maxIdleTime">50000</Set> <Set name="lowResourceMaxIdleTime">1500</Set> </New> </Arg> </Call>

I did a check from another machine and thwy can't connect to Solr but that can connect to my dev website on port 80. Perhaps this is something that Adobe fixed up in later versions?

Cheers.

Post a Comment




  



Spell Checker by Foundeo

Recent Entries



foundeo


did you hack my cf?



Archives:
2012 2011 2010 2009 2008 2007 2006 2005 2004 2003 2002