Hi, Solr is not a web server that is accessible to someone on the outside of your firewall. I.e. users on the outside will never issue requests direclty or indirectly directly to Solr, unless you have exposed the raw Solr server through a simple reverse proxy or similar, which is a big no-no. What happens when you request http://solr-ip:8983/ <http://solr-ip:8983/> is that there is no content there, so you get redirected to Solr's "webapp" on /solr/. The "Location: http..." is a Http 302 redirect message.
Again, human users will never have direct access to Solr server, and if they do they are already on the inside of your network and already know Solr's IP address. Thus, this is not a vulnerability like it would perhaps be for an IIS server that is designed to be end-user facing. Jan > 7. apr. 2022 kl. 16:56 skrev Anchal Sharma2 <anchs...@in.ibm.com>: > > Hi All, > > It took me a while to get the following information about the detected > vulnerability from the security team .The officially used security tool was > able to exploit the issue using the following request : > > GET / HTTP/1.0 > Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 > Accept-Language: en > Connection: Close > User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) > Pragma: no-cache > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* > > > > > This produced the following truncated output (limited to 10 lines) : > ------------------------------ snip ------------------------------ > Location: http://<IP address>:8983/solr/ > > > ------------------------------ snip ------------------------------ > > The CVE number is CVE-2000-0649. > https://nvd.nist.gov/vuln/detail/CVE-2000-0649 Can anyone suggest some > fixes for the said vulnerability ? > NVD - CVE-2000-0649<https://nvd.nist.gov/vuln/detail/CVE-2000-0649> > Current Description . IIS 4.0 allows remote attackers to obtain the internal > IP address of the server via an HTTP 1.0 request for a web page which is > protected by basic authentication and has no realm defined. > nvd.nist.gov > > Thank you > Anchal Sharma > ________________________________ > From: Davis, Daniel (NIH/NLM) [C] <daniel.da...@nih.gov.INVALID> > Sent: Wednesday, February 16, 2022 9:58 PM > To: users@solr.apache.org <users@solr.apache.org> > Cc: solr-user <solr-u...@lucene.apache.org> > Subject: Re: [EXTERNAL] Re: Vulnerability on solr port > > If the port is proxied to something else, maybe by a load balancer, then > disclosing the IP address in an HTTP header could be an issue. The scanner > doesn't know whether the port is proxied elsewhere. > > On 2/14/22, 8:29 AM, "matthew sporleder" <msporle...@gmail.com> wrote: > > CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you recognize the sender and are > confident the content is safe. > > > So you scanned an internal IP address and somehow disclosed the > internal IP address? > > On Mon, Feb 14, 2022 at 4:36 AM Anchal Sharma2 <anchs...@in.ibm.com> wrote: >> >> Hi All, >> >> We have got following vulnerability on port where apache solr is running on >> few of our servers .Does anyone have any ideas/suggestions on how to >> mitigate this ? >> Vulnerability -> Web Server HTTP Header Internal IP Disclosure 8983 >> >> Thanks >> Anchal Sharma >
