CF2021 SOLR security warning – how to uninstall
I have a production CF2021 server that is getting flagged with a security vulnerability from a Nessus scan.
I’ve tried uninstalling the search package from the CF administrator, but the SOLR website is still up and running.
how would I disable the SOLR site from starting (and/or remove SOLR completely?). I do not plan on using the built in SOLR search.
here is the report from the Nessus scan:
Description: The version of Apache Solr running on the remote host is at least 5.0.0 and prior to 8.4.0. It is, therefore, affected by a remote code execution vulnerability. A remote code execution vulnerability exists in VelocityResponseWriter due to a flaw in the velocity template parameter. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands with the privileges of Apache Solr.
URL : http://mycfprod.xyz.com:8993/solr
Installed: version 7.2.1
Fixed version: 7.7.3
Newbie
2 posts
I get similar feedback from security scan : “EOL/Obsolete Software: Apache Solr Prior to 7.7 Detected”
Coldfusion2021 comes with solr 7.2.1
How can we migrate to more recent version ?
I’d assume Priyank is referring to the “VelocityResponseWriter” you mention. Perhaps hearing that will suffice for you, xamax.
In case it does not, I will share more thoughts in another note.
So following onto my last one, I know that when people use scanning tools or services, it may be hard to put in an exception acknowledging an assertion like that (that CF does not include that vulnerable feature).
So to answer your other questions…
1) First, yes you COULD disable the Solr feature rather easily–at least assuming that you’re not ALSO using the CFHTMLtoPDF tag that was introduced in CF11. Both that and the Solr feature are served by way of the ColdFusion “Add-on” service. (If you just visit the 8993 port, you will see a web UI showing there’s also a /PDFgServlet url offered as an option on that same port.)
So assuming you don’t and won’t use either of those CF features, you could disable the entire add-on service. If you’re on Windows, you could stop (and “disable”) that ColdFusion 2021 Add-on Services service. In Linux, you could do the same with whichever flavor of service controller is used by your distro.
2) If somehow that was not possible (perhaps you want to use CFHTMLtoPDF), note also that you could certainly block that solr port in your firewall, so that it was not accessible from the outside. In fact, given that that 8993 port is non-standard, your firewall should already be blocking it.
But perhaps their concern is that it’s accessible from another machine in your network. In that case, note that you could configure the firewall so that the port is only accessible to the machine running CF itself. Besides the UI shown at that port (with an admin UI for Solr), that port is indeed used for internal communication from CF to the solr (and pdfg) engine–even when both CF and that service are on the same machine. You would find the URL used listed in the CF Admin, on the PDF Services and Solr Server pages, where it’s listed by default (for me) as either 127.0.0.1:8993 or localhost:8993.
2a) On a related matter, there is also provision in the engine underlying that Solr feature, called the Jetty Service, which has its own config file (D:\ColdFusion2021\cfusion\jetty\start.ini) which has a host attribute, which by default is commented out:
# jetty.http.host=0.0.0.0
I’d expect that commenting out would make it so that only localhost access was allowed. Note that it has a value of 0.0.0.0, so if that line was uncommented then that WOULD allow access to that port and this service from off the server (assuming a firewall wasn’t blocking it).
3) Finally, if somehow none of that suited you, and you JUST wanted to make it so that the /solr path there would fail, I would think you could tweak yet a different CF config file, but I looked for any and didn’t find one readily.
I would note that even if you did that, such a tweak (or even the last one above) could be replaced by a CF update, so keep that in mind. This is where again either stopping the service or using the firewall approach would seem the most “sure” solution.
Let us know if any of these ideas (his or mine) may help you.
PS Readers should not confuse the jetty folder (and start.ini) I refer to above with the jetty.xml which is in the D:\ColdFusion2021\cfusion\lib folder. That too has its own host attribute, which IS set by default to 0.0.0.0. But note that it also has a line indicating a port of 5500, so it’s UNRELATED to the solr feature. It was originally implemented in 9.0.1 (yes, a different jetty engine within CF) primarily to serve the CF Server Monitor in CF Enterprise, 2016 and earlier, via a special monitoring URL that was optional, using that port (in case the normal port used to access the CF Admin was not accessible).
But there is technically a connection to the add-on service discussed above, but again it’s unrelated to Solr. It turns out that the processing for that cfhtmltopdf feature does end up causing the pdfgservlet (in the add-on service) to call back INTO the CF instance on that port 5500! FWIW, it would be safe to set that port to whatever ip address (ipv4 or ipv6) would be used by that pdfgservice, rather than 0.0.0.0. But as I noted before, a CF update could change these files back to their defaults, so do beware, when relying on such changes to improve security.
I appreciate all that is a lot to take in, and some people don’t need that detail. But others do, so since you asked about it I thought I’d share it.
Hi Charlie,
The VelocityResponseWriter plugin is not shipped by default. No one is at risk unless they are manually adding it. If someone does it, they are at risk.
-Priyank
Charlie,
thanks for the information, I will try and run the adobe statement from Priyank thru our security department and see if that is acceptable to them.
if that doesn’t work out, then I could try to disable the Coldfusion “Add-on” service.
I couldn’t find any instances of the tag CFHTMLtoPDF in our codebase, however we are using <CFdocument format=”PDF”> in many places. would that be impacted in any way by turning off that service?
Hi,
Disabling Add-on service won’t impact cfdocument fucntionality.
xamax, no: the cfdocument tag (added in CF7) does not work internally the same way as the cfhtmltopdf tag (added in CF11), so stopping the add-on service will not affect use of cfdocument.
Thanks for confirming my assumption, Priyank. I only made that prefatory remark for the sake of xamax, before I shared the additional info–if somehow that news from you was not “good enough” for his auditors. It happens. 🙂
Hi,
Just to inform you that this plugin is not shipped with CF version of Solr. So it is not impacted.
Thanks,
Priyank
You must be logged in to post a comment.
23 Nov
10AM Pacific
Online
