SSRF vulnerability with the Replication handler

Vulnerability

The ReplicationHandler in Apache Solr, registered at /replication under a Solr core, accepts a masterUrl (or leaderUrl) parameter to designate a remote Solr core from which to replicate index data. Prior to version 8.8.2, Solr did not validate this URL against an internal whitelist, unlike the similar check it performs for the shards parameter. This missing restriction allows an attacker to specify an arbitrary host as the source for replication, enabling a server-side request forgery (SSRF). [1]

Exploitation

An attacker can issue a replication request to any vulnerable Solr core's /replication endpoint (e.g., via a command like ?command=fetchindex&masterUrl=http://internal-service:8080/). The attacker does not need authentication; the ReplicationHandler endpoint is typically accessible to any client that can reach the Solr HTTP port. No user interaction is required beyond sending the crafted request. [1]

Impact

Successful exploitation allows the attacker to force the Solr server to make HTTP requests to arbitrary internal network hosts, potentially accessing sensitive services, reading local files (if a responsive service returns data that Solr attempts to index), or performing reflection attacks. The compromise targets the confidentiality of internal resources reachable by the Solr server. [1]

Mitigation

Apache Solr fixed this vulnerability in version 8.8.2 (released 2021-04-12) by adding validation of the masterUrl parameter against a whitelist of allowed hosts. Users should upgrade to Solr 8.8.2 or later. There is no known workaround for installations that cannot upgrade immediately; administrators may restrict network access to the /replication endpoint via firewall rules or reverse-proxy filtering. [1]