Don’t Panic Yet: Breaking Down the Latest Apache Solr RCE Vulnerability

This content originally appeared on DEV Community and was authored by Sharon

> About Author
Hi, I’m Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.

Apache Solr, a popular open-source search platform, was recently reported to have a Remote Code Execution (RCE) vulnerability when running in cloud mode. Our team at Chaitin’s Emergency Response Lab analyzed this issue in detail, and here’s what you should know before jumping to conclusions.

Vulnerability Description

When Solr is configured in cloud mode, the Schema Designer feature can be abused by an attacker. By uploading a malicious schema configuration, an attacker could trick Solr into loading a crafted .jar file, potentially achieving remote code execution.

Preconditions

This bug only affects Solr instances that are explicitly started in cloud mode.

If you’re running Solr in standalone mode, you’re not exposed to this issue.

Reality Check: How Practical Is This?

After digging into the details, we believe the real-world exploitability is limited. Here’s why:

1. The RCE relies on writing malicious .jar files into Solr’s temporary directories. The problem? Those directories vary by OS.
   • On Linux: /tmp/jar_cache*.tmp
   • On macOS:

/private/var/folders/.../jar_cache*.tmp

1. Since SOLR-13984, a Security Manager is enabled by default.
   • On Windows and macOS, this blocks writes to those directories.
   • Some researchers suggest UNC paths might bypass this on Windows, but this hasn’t been confirmed.

Affected Versions

• Linux: Solr 8.10 – 9.2.1
• Windows: Solr 8.10 – 9.3.0

Detection & Defense

Intrusion Detection

1. Monitor traffic to your Solr instances. Pay special attention to requests hitting:

/api/schema-designer/\*

1. Review your Schema Designer entries. If you see suspicious or unauthorized schema creation attempts, investigate immediately.

Check Your Setup

• Am I running in cloud mode?
• Via Admin UI → Look for the Cloud option in the left panel.
• Via API →

 http://<solr-host>:<port>/solr/admin/collections?action=CLUSTERSTATUS

• Which version am I running?
• Via Admin UI → Version shown in the top-right or footer.
• Via API →

 http://<solr-host>:<port>/solr/admin/info/system?wt=json

Fixes & Workarounds

• Permanent Fix:
  
  Upgrade to the latest Solr release:
  
  Apache Solr Downloads

• Temporary Workaround:

• Restrict Solr access via network ACLs (allow only trusted IPs).

• Enable authentication. Solr by default allows anonymous access — don’t leave it exposed to the internet.

Timeline

• Oct 15 — Official patch released
• Oct 23 — Vulnerability analyzed & reproduced by Chaitin Emergency Lab
• Oct 24 — Public advisory published

References

• Solr Schema Designer Docs
• Solr Docs Overview

Key Takeaway

Yes, this is an RCE in Solr — but don’t overreact. The exploitability is much lower than it first appears. Still, upgrading and tightening your Solr security posture is the best move.

Join the SafeLine Community

If you continue to experience issues, feel free to contact SafeLine support for further assistance.

• GitHub Repository
• Official Docs
• Discord Community

This content originally appeared on DEV Community and was authored by Sharon