High vulnerability caused by Apache Shiro

[nanjiangshu]

• We have deployed an instance of Apollo on a Cloud virtual machine and it works very well until the sysadmin reported high vulnerability caused by Apache Shiro. The reported vulnerability and the potential solution suggested by the sysadmin is pasted below.

Vulnerabilities
159323 - Apache Shiro Default Cipher Key (CVE-2016-4437)
Synopsis
A Java security framework uses a default cipher key.
Description
The Apache Shiro uses a default cipher key for the 'remember me'
feature when not explicitly configured. An unauthenticated, remote attacker can exploit this, via a specially
crafted request, to execute arbitrary code or access content that would otherwise be protected by a
security constraint.
See Also
http://www.nessus.org/u?fd9839a6
http://www.nessus.org/u?25ff751a
Solution
Upgrade to Apache Shiro 1.2.5 or later, ensure a secret cipher key is configured, or disable the 'remember
me' feature.

[cmdcolin]

Hi @nanjiangshu I know it's unfortunate but there are indeed a number of security alerts on the Apollo codebase right now that are reported by security scanners. I reported a security scan here from the grype tool here

#2640 (comment)

we took effort to remediate the log4j issue at the request of a user, but it took concerted effort, and it may be difficult to fix many of these issues because many of them come from the grails platform version that we use, and it is difficult to upgrade to the latest version of grails without changing a large amount of code

I don't have any specific recommendation for now but to be aware of this. we can leave this issue open, and if you would like to look into contributing any possible fixes, then we may be able to accept pull requests, though i know that is a big task

[nanjiangshu]

@cmdcolin Thanks for your quick reply and I understand you have a lot of similar issues to handle. We need to find a solution ourselves since the resource provider will shutdown all our deployed instances if the problem is not solved. Would it be possible we ask you some questions with the configuration of Apache Shiro in case we encounter problems?

[cmdcolin]

certainly, let us know of any questions. there is some possibility the shiro could be upgraded to some patch version if that is the only one you need. see here for PR that updated the log4j version #2654

[nanjiangshu]

Hi @cmdcolin. Thanks for your tips. I tried to upgrade the Shiro version to 1.2.5 by changing the code at https://github.com/GMOD/Apollo/blob/develop/grails-app/conf/BuildConfig.groovy#L137. However, when building the Docker image, I received the following error.

| Error Resolve error obtaining dependencies: Could not find artifact org.grails.plugins:shiro:zip:1.2.5 in grailsCentral (https://repo.grails.org/grails/plugins) (Use --stacktrace to see the full trace)

Is there a way to provide a URL to grails so that it can find shiro verion 1.2.5?

[cmdcolin]

i'm not sure what exactly shiro 1.2.5 is, i see only "1.2.1" here but not sure if we even use that https://repo.grails.org/ui/packages/gav:%2F%2Forg.grails.plugins:shiro?name=shiro&type=packages

my scan from https://gist.github.com/cmdcolin/df8e92fe3e82fb2856b5c08d90bf4a32 indicated various shiro subpackages were in use

is it shiro-core or something like that? package list https://repo.grails.org/ui/packages?name=shiro&type=packages

i will also note, your security scan noted that disabling remember me could be another alternative. not sure if that's easier or harder

[nanjiangshu]

As you pointed out, it seems grails plugin does not provide shiro version higher than 1.2.1. Although at the MavenCentral many newer versions of shiro are provided https://mvnrepository.com/artifact/org.grails/grails-plugin-servlets. I don't know how much work it required to let the BuildConfig to use shiro-core from maven and I probably don't have the time either.

It seems it is quite easy to disable the feature "RememberMe" and I will talk with the sysadmin if they accept this option.

[jvolkening]

Hello @nanjiangshu,

It seems it is quite easy to disable the feature "RememberMe" and I will talk with the sysadmin if they accept this option.

Were you able to disable this option in Apollo to address the vulnerability? If so, could you briefly describe how or point to relevant docs? I haven't been able to find any guidance in my search.

Many thanks.