Apache OFBiz: Execution of Solr plugin queries without authentication

Vulnerability

A missing authentication flaw exists in the Apache OFBiz Solr plugin in versions before 18.12.09. The Solr plugin did not require authentication, allowing any unauthenticated user to access and interact with the Solr search engine interface exposed by OFBiz. This issue affects all OFBiz releases prior to the fixed version [1][2][3].

Exploitation

An attacker with network access to the OFBiz instance can send requests directly to the Solr plugin without needing any authentication, session, or prior access. By crafting HTTP requests to Solr endpoints, the attacker can execute arbitrary search queries against the Solr core used by OFBiz, bypassing any intended access controls [1][3].

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary queries against the Solr search index, leading to unauthorized disclosure of sensitive data stored in the Solr index. Depending on the data indexed, this could include customer information, order details, or other business data. The attacker does not gain OS-level access but can read any data indexed by Solr [1][3].

Mitigation

The vulnerability is fixed in Apache OFBiz version 18.12.09, released in November 2023 [2][3]. All users are recommended to upgrade to 18.12.09 or later. No workaround is documented, but restricting network access to the OFBiz Solr plugin via firewall rules may reduce exposure until an upgrade can be applied [1].