Apollo icon indicating copy to clipboard operation
Apollo copied to clipboard

Published 20 hours ago verified publisher icon GMOD

High vulnerability caused by Apache Shiro

Open nanjiangshu opened this issue 1 year ago • 7 comments

  • We have deployed an instance of Apollo on a Cloud virtual machine and it works very well until the sysadmin reported high vulnerability caused by Apache Shiro. The reported vulnerability and the potential solution suggested by the sysadmin is pasted below.
Vulnerabilities
159323 - Apache Shiro Default Cipher Key (CVE-2016-4437)
Synopsis
A Java security framework uses a default cipher key.
Description
The Apache Shiro uses a default cipher key for the 'remember me'
feature when not explicitly configured. An unauthenticated, remote attacker can exploit this, via a specially
crafted request, to execute arbitrary code or access content that would otherwise be protected by a
security constraint.
See Also
http://www.nessus.org/u?fd9839a6
http://www.nessus.org/u?25ff751a
Solution
Upgrade to Apache Shiro 1.2.5 or later, ensure a secret cipher key is configured, or disable the 'remember
me' feature.

nanjiangshu avatar Mar 09 '23 15:03 nanjiangshu

Hi @nanjiangshu I know it's unfortunate but there are indeed a number of security alerts on the Apollo codebase right now that are reported by security scanners. I reported a security scan here from the grype tool here

https://github.com/GMOD/Apollo/issues/2640#issuecomment-994822414

we took effort to remediate the log4j issue at the request of a user, but it took concerted effort, and it may be difficult to fix many of these issues because many of them come from the grails platform version that we use, and it is difficult to upgrade to the latest version of grails without changing a large amount of code

I don't have any specific recommendation for now but to be aware of this. we can leave this issue open, and if you would like to look into contributing any possible fixes, then we may be able to accept pull requests, though i know that is a big task

cmdcolin avatar Mar 09 '23 16:03 cmdcolin

@cmdcolin Thanks for your quick reply and I understand you have a lot of similar issues to handle. We need to find a solution ourselves since the resource provider will shutdown all our deployed instances if the problem is not solved. Would it be possible we ask you some questions with the configuration of Apache Shiro in case we encounter problems?

nanjiangshu avatar Mar 09 '23 17:03 nanjiangshu

certainly, let us know of any questions. there is some possibility the shiro could be upgraded to some patch version if that is the only one you need. see here for PR that updated the log4j version https://github.com/GMOD/Apollo/pull/2654/

cmdcolin avatar Mar 09 '23 18:03 cmdcolin

Hi @cmdcolin. Thanks for your tips. I tried to upgrade the Shiro version to 1.2.5 by changing the code at https://github.com/GMOD/Apollo/blob/develop/grails-app/conf/BuildConfig.groovy#L137. However, when building the Docker image, I received the following error.

| Error Resolve error obtaining dependencies: Could not find artifact org.grails.plugins:shiro:zip:1.2.5 in grailsCentral (https://repo.grails.org/grails/plugins) (Use --stacktrace to see the full trace)

Is there a way to provide a URL to grails so that it can find shiro verion 1.2.5?

nanjiangshu avatar Mar 20 '23 13:03 nanjiangshu

i'm not sure what exactly shiro 1.2.5 is, i see only "1.2.1" here but not sure if we even use that https://repo.grails.org/ui/packages/gav:%2F%2Forg.grails.plugins:shiro?name=shiro&type=packages

my scan from https://gist.github.com/cmdcolin/df8e92fe3e82fb2856b5c08d90bf4a32 indicated various shiro subpackages were in use

is it shiro-core or something like that? package list https://repo.grails.org/ui/packages?name=shiro&type=packages

i will also note, your security scan noted that disabling remember me could be another alternative. not sure if that's easier or harder

cmdcolin avatar Mar 20 '23 18:03 cmdcolin

As you pointed out, it seems grails plugin does not provide shiro version higher than 1.2.1. Although at the MavenCentral many newer versions of shiro are provided https://mvnrepository.com/artifact/org.grails/grails-plugin-servlets. I don't know how much work it required to let the BuildConfig to use shiro-core from maven and I probably don't have the time either.

It seems it is quite easy to disable the feature "RememberMe" and I will talk with the sysadmin if they accept this option.

nanjiangshu avatar Mar 20 '23 21:03 nanjiangshu

Hello @nanjiangshu,

It seems it is quite easy to disable the feature "RememberMe" and I will talk with the sysadmin if they accept this option.

Were you able to disable this option in Apollo to address the vulnerability? If so, could you briefly describe how or point to relevant docs? I haven't been able to find any guidance in my search.

Many thanks.

jvolkening avatar Apr 15 '23 02:04 jvolkening