[Secure-testing-team] Bug#826653: CVE-2016-4437

Moritz Muehlenhoff jmm at debian.org
Tue Jun 7 13:54:44 UTC 2016


Source: shiro
Severity: grave
Tags: security

The following was reported on oss-security. shiro doesn't seem to have
any rdeps in Debian.

Cheers,
        Moritz

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
1.0.0-incubating - 1.2.4

Description:
A default cipher key is used for the "remember me" feature when not
explicitly configured.  A request that included a specially crafted
request
parameter could be used to execute arbitrary code or access content
that
would otherwise be protected by a security constraint.

Mitigation:
Users should upgrade to 1.2.5 [1],  ensure a secret cipher key is
configured [2], or disable the "remember me" feature. [3]

All binaries (.jars) are available in Maven Central already.

References:
[1] http://shiro.apache.org/download.html
[2]
http://shiro.apache.org/configuration.html#Configuration-ByteArrayValues
[3] If using a shiro.ini, "remember me" can be disabled adding the
following config line in the '[main]' section:
  securityManager.rememberMeManager = null
  



More information about the Secure-testing-team mailing list