CVE-2023-50386: 
Java vulnerability analysis and mitigation

CVE-2023-50386 is a vulnerability discovered in Apache Solr affecting versions from 6.0.0 through 8.11.2 and 9.0.0 before 9.4.1. The vulnerability was disclosed on February 9, 2024, and involves multiple security issues including Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, and Inclusion of Functionality from Untrusted Control Sphere. The vulnerability affects the ConfigSets API and backup functionality in Apache Solr (Apache Security, NVD).

The vulnerability stems from Solr ConfigSets accepting Java jar and class files through the ConfigSets API. When backing up Solr Collections using the LocalFileSystemRepository (default for backups), these configSet files are saved to disk. If the backup is saved to a directory that Solr uses in its ClassPath/ClassLoaders, the jar and class files become available for use with any ConfigSet, whether trusted or untrusted. The vulnerability has been assigned a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

When Solr is running with Authorization enabled, the vulnerability's impact is limited to extending the Backup permissions with the ability to add libraries. However, in systems without proper security controls, this could potentially lead to remote code execution through the execution of malicious uploaded code (AttackerKB).

Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue. The fixes include two key protections: users are no longer able to upload files to a configSet that could be executed via a Java ClassLoader, and the Backup API restricts saving backups to directories that are used in the ClassLoader. Additionally, running Solr with Authentication and Authorization enabled is strongly recommended as a security best practice (Apache Security).