CVE-2021-41303 – CVE-2021-41303 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2021-41303?

CVE-2021-41303 has a CVSS score of 9.8 (CRITICAL). CVE-2021-41303 is an authentication bypass vulnerability in Apache Shiro when used with Spring Boot. A specially crafted HTTP request can allow attackers to bypass authentication mechanisms and gain unauthorized access to protected resources. This affects all Apache Shiro users with Spring Boot deployments using versions before 1.8.0.

📋 TL;DR

CVE-2021-41303 is an authentication bypass vulnerability in Apache Shiro when used with Spring Boot. A specially crafted HTTP request can allow attackers to bypass authentication mechanisms and gain unauthorized access to protected resources. This affects all Apache Shiro users with Spring Boot deployments using versions before 1.8.0.

💻 Affected Systems

Products:

Apache Shiro
Spring Boot applications using Apache Shiro

Versions: Apache Shiro versions before 1.8.0

Operating Systems: All operating systems running affected Apache Shiro versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments where Apache Shiro is used with Spring Boot. Standalone Apache Shiro deployments are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise where attackers gain administrative access, potentially leading to data theft, ransomware deployment, or complete system takeover.

🟠

Likely Case

Unauthorized access to sensitive application functionality and data, potentially leading to privilege escalation and lateral movement within the network.

🟢

If Mitigated

Limited impact with proper network segmentation, strong authentication layers, and monitoring in place to detect anomalous access patterns.

🌐 Internet-Facing: HIGH - Internet-facing applications are directly exposed to exploitation attempts from any attacker.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable to insider threats or attackers who have gained initial network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is relatively easy to exploit with publicly available proof-of-concept code. Attackers can craft specific HTTP requests to bypass authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apache Shiro 1.8.0 or later

Vendor Advisory: https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E

Restart Required: Yes

Instructions:

1. Identify all applications using Apache Shiro with Spring Boot. 2. Update Apache Shiro dependency to version 1.8.0 or later in your build configuration (pom.xml for Maven, build.gradle for Gradle). 3. Rebuild and redeploy the application. 4. Restart the application server.

🔧 Temporary Workarounds

Implement additional authentication layer

all

Add a secondary authentication mechanism or Web Application Firewall (WAF) rules to block suspicious authentication bypass attempts.

Network segmentation and access controls

all

Restrict network access to vulnerable applications using firewall rules and network segmentation.

🧯 If You Can't Patch

Implement strict network access controls to limit which IP addresses can access the vulnerable application
Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block Shiro authentication bypass attempts

🔍 How to Verify

Check if Vulnerable:

Check your application's dependency files (pom.xml, build.gradle) for Apache Shiro version. If version is below 1.8.0 and used with Spring Boot, the system is vulnerable.

Check Version:

For Maven: mvn dependency:tree | grep shiro. For Gradle: gradle dependencies | grep shiro. Or check pom.xml/build.gradle directly.

Verify Fix Applied:

Verify that Apache Shiro version is 1.8.0 or higher in your dependency files and that the application has been successfully rebuilt and redeployed.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication patterns
Access to protected resources without proper authentication logs
HTTP requests with suspicious headers or parameters targeting authentication endpoints

Network Indicators:

HTTP requests with crafted headers attempting to bypass authentication
Unusual access patterns to protected endpoints

SIEM Query:

source="application_logs" AND ("authentication bypass" OR "unauthorized access" OR "Shiro") AND status="200" AND (uri CONTAINS "/admin" OR uri CONTAINS "/protected")

📊 Metadata

CVE ID: CVE-2021-41303

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: September 17, 2021

Last Updated: November 21, 2024

🔗 References

https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b%40%3Cuser.shiro.apache.org%3E
https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E Mailing List,Vendor Advisory
https://security.netapp.com/advisory/ntap-20220609-0001/ Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Patch,Third Party Advisory
https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b%40%3Cuser.shiro.apache.org%3E
https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E Mailing List,Vendor Advisory
https://security.netapp.com/advisory/ntap-20220609-0001/ Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41303, you might also want to check these: