Potential CVE-2021-27905 Exploitation Attempt

 1title: Potential CVE-2021-27905 Exploitation Attempt
 2id: 0bbcd74b-0596-41a4-94a0-4e88a76ffdb3
 3status: test
 4description: Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.
 5references:
 6    - https://twitter.com/Al1ex4/status/1382981479727128580
 7    - https://twitter.com/sec715/status/1373472323538362371
 8    - https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/
 9    - https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186
10    - https://github.com/murataydemir/CVE-2021-27905
11author: '@gott_cyber'
12date: 2022-12-11
13modified: 2023-03-24
14tags:
15    - attack.initial-access
16    - attack.t1190
17    - cve.2021-27905
18    - detection.emerging-threats
19logsource:
20    category: webserver
21detection:
22    selection_request1:
23        cs-uri-query|contains|all:
24            - '/solr/'
25            - '/debug/dump?'
26            - 'param=ContentStream'
27        sc-status: 200
28    selection_request2:
29        cs-method: 'GET'
30        cs-uri-query|contains|all:
31            - '/solr/'
32            - 'command=fetchindex'
33            - 'masterUrl='
34        sc-status: 200
35    condition: 1 of selection_*
36falsepositives:
37    - Vulnerability Scanners
38level: medium

References

• x.com

  
  Read More

• x.com

  
  Read More

• Apache Solr Arbitrary File Read and SSRF Vulnerability Threat Alert - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.

  

  Vulnerability Description Recently, NSFOCUS detected that an Apache Solr arbitrary file read and server-side request forgery (SSRF) vulnerability was disclosed on the Internet. Since authentication was disabled by default when Apache Solr was installed, unauthenticated attackers could turn on requestDis patcher.requestParsers.enableRemoteStreaming via the Config API, thereby exploiting the vulnerability to read files. Currently, the proof […]

  
  Read More

• Apache Solr 任意文件读取漏洞 1Day

  

  Apache Solr 任意文件读取漏洞 1Day来啦~

  
  Read More

• GitHub - murataydemir/CVE-2021-27905: [CVE-2021-27905] Apache Solr ReplicationHandler Server Side Request Forgery (SSRF)

  

  [CVE-2021-27905] Apache Solr ReplicationHandler Server Side Request Forgery (SSRF) - murataydemir/CVE-2021-27905

  
  Read More

Related rules

• ADSelfService Exploitation
• Apache Spark Shell Command Injection - Weblogs
• Arcadyan Router Exploitations
• Atlassian Bitbucket Command Injection Via Archive API
• CVE-2010-5278 Exploitation Attempt