Overview

The background of security vulnerability

Apache Shiro is a powerful, flexible, and open-source Java security framework that supports functions such as authentication, permission control, session management, and encryption. It provides simple and easy-to-use APIs for users to quickly add security controls to applications. Recently, the H3C Offensive and Defense Laboratory has monitored that Apache Shiro has officially released a security notice about fixing Apache Shiro's authentication bypass vulnerability (CVE-2020-13933), and conducted tracking and analysis.

The principle of the vulnerability

An identity bypass vulnerability (CVE-2020-11989) was fixed in Apache Shiro version 1.5.3, but this vulnerability was not completely fixed. Due to the inconsistency between Shiro and Spring's parsing and processing of url requests, an error occurred when processing authentication requests, which triggered an authentication bypass vulnerability. Remote attackers can use this vulnerability to construct special HTTP requests, bypass the authentication process, and achieve the purpose of unauthorized access.

The reproduce of security vulnerability

Setting up a vulnerability environment and constructing malicious requests can successfully bypass identity verification and achieve unauthorized access.

The scope of influence

Apache Shiro < 1.6.0

Solution

The official patch

Shiro has officially fixed the vulnerability in the new version. Please upgrade to Shiro 1.6.0 and above. Download link: http://shiro.apache.org/download.html

The solution of H3C

The New H3C IPS rule base will support the identification of this vulnerability in version 1.0.103. It is recommended to pay attention to the H3C official website to update the version in time and enable relevant rules.

H3C security emergency response external service

H3C advocates that every effort be made to safeguard the ultimate interests of product users, to abide by principles of responsible disclosure of security incidents, and to handle product security issues in accordance with security issues mechanisms. For information on H3C's security emergency response service and H3C product vulnerabilities, please visit https://www.h3c.com/en/Support/Online_Help/psirt/.