In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

References
Link Providers
http://mail-archives.us.apache.org/mod_mbox/www-announce/201903.mbox/%3CCAECwjAV1buZwg%2BMcV9EAQ19MeAWztPVJYD4zGK8kQdADFYij1w%40mail.gmail.com%3E cve-icon cve-icon
http://www.securityfocus.com/bid/107318 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2413 cve-icon cve-icon
https://lists.apache.org/thread.html/42c5682f4acd1d03bd963e4f47ae448d7cff66c16b19142773818892%40%3Cdev.lucene.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/53e4744b14fb7f1810405f8ff5531ab0953a23dd09ce8071ce87e00d%40%3Cdev.lucene.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/b0ace855f569c6b7a0b03ba68566e53b1a1a519abd536bf38978ce4a%40%3Cdev.lucene.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/d0e608c681dfbb16b4da68d99d43fa0ddbd366bb3bcf5bc0d43c56d7%40%3Cdev.lucene.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/ec9c572fb803b26ba0318777977ee6d6a2fb3a2c50d9b4224e541d5d%40%3Cdev.lucene.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rc400db37710ee79378b6c52de3640493ff538c2beb41cefdbbdf2ab8%40%3Ccommits.submarine.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2019-0192 cve-icon
https://security.netapp.com/advisory/ntap-20190327-0003/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2019-0192 cve-icon
https://www.oracle.com/security-alerts/cpuoct2020.html cve-icon cve-icon
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2024-09-16T16:53:42.278Z

Reserved: 2018-11-14T00:00:00

Link: CVE-2019-0192

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2019-03-07T21:29:00.203

Modified: 2024-11-21T04:16:27.140

Link: CVE-2019-0192

cve-icon Redhat

Severity : Important

Publid Date: 2019-03-07T00:00:00Z

Links: CVE-2019-0192 - Bugzilla

cve-icon OpenCVE Enrichment

No data.