CVE-2021-45029 – CVE-2021-45029 is a critical vulnerability in A... (How to Fix)

Q: What is the severity of CVE-2021-45029?

CVE-2021-45029 has a CVSS score of 9.8 (CRITICAL). CVE-2021-45029 is a critical vulnerability in Apache ShenYu that allows attackers to inject malicious Groovy or SpEL code, leading to remote code execution. This affects Apache ShenYu versions 2.4.0 and 2.4.1, potentially compromising entire systems. Attackers can execute arbitrary commands with the privileges of the ShenYu application.

📋 TL;DR

CVE-2021-45029 is a critical vulnerability in Apache ShenYu that allows attackers to inject malicious Groovy or SpEL code, leading to remote code execution. This affects Apache ShenYu versions 2.4.0 and 2.4.1, potentially compromising entire systems. Attackers can execute arbitrary commands with the privileges of the ShenYu application.

💻 Affected Systems

Products:

Apache ShenYu

Versions: 2.4.0 and 2.4.1

Operating Systems: All operating systems running Apache ShenYu

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments of affected versions are vulnerable regardless of configuration.

📦 What is this software?

Shenyu by Apache

View all CVEs affecting Shenyu →

Shenyu by Apache

View all CVEs affecting Shenyu →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, steal data, deploy malware, or pivot to other systems in the network.

🟠

Likely Case

Remote code execution leading to data theft, service disruption, or deployment of backdoors for persistent access.

🟢

If Mitigated

Limited impact with proper network segmentation, minimal privileges, and input validation controls in place.

🌐 Internet-Facing: HIGH - Apache ShenYu is typically deployed as a gateway/proxy service that's internet-facing, making it directly accessible to attackers.

🏢 Internal Only: MEDIUM - Even internal deployments are at risk from insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details and proof-of-concept code are available in security advisories, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.2 and later

Vendor Advisory: https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639

Restart Required: Yes

Instructions:

1. Download Apache ShenYu version 2.4.2 or later from official Apache repositories. 2. Stop the current ShenYu service. 3. Replace the vulnerable version with the patched version. 4. Restart the ShenYu service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Disable vulnerable endpoints

all

Temporarily disable or restrict access to endpoints that accept Groovy or SpEL expressions if they're not essential for functionality.

# Configure firewall rules to block access to vulnerable endpoints
# Example: iptables -A INPUT -p tcp --dport [shenyu_port] -m string --string "vulnerable_endpoint" --algo bm -j DROP

Network segmentation

all

Isolate ShenYu instances from critical systems and implement strict network access controls.

# Implement network segmentation using firewall rules
# Example: iptables -A FORWARD -s [shenyu_ip] -d [critical_system_ip] -j DROP

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user inputs, especially those processed by Groovy or SpEL engines.
Deploy web application firewall (WAF) rules to detect and block code injection attempts targeting ShenYu endpoints.

🔍 How to Verify

Check if Vulnerable:

Check the ShenYu version by examining configuration files or running the application with version flag. Vulnerable if version is 2.4.0 or 2.4.1.

Check Version:

Check the ShenYu configuration file (usually shenyu-admin or shenyu-bootstrap properties) for version information or run: java -jar shenyu-admin.jar --version

Verify Fix Applied:

Verify the installed version is 2.4.2 or later by checking the application version or configuration files.

📡 Detection & Monitoring

Log Indicators:

Unusual Groovy or SpEL expression execution in logs
Suspicious command execution patterns
Unexpected process creation from ShenYu service

Network Indicators:

Unusual outbound connections from ShenYu instances
Traffic patterns indicating code injection attempts

SIEM Query:

source="shenyu" AND ("Groovy" OR "SpEL" OR "Expression") AND ("exec" OR "Runtime" OR "ProcessBuilder")

📊 Metadata

CVE ID: CVE-2021-45029

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: January 25, 2022

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2022/01/25/8 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/01/26/1 Mailing List,Third Party Advisory
https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639 Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/01/25/8 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/01/26/1 Mailing List,Third Party Advisory
https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639 Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45029, you might also want to check these: