CVE-2023-34478
📋 TL;DR
This CVE describes an authentication bypass vulnerability in Apache Shiro that allows attackers to bypass security controls through path traversal techniques. It affects Apache Shiro versions before 1.12.0 or 2.0.0-alpha-3 when used with APIs or web frameworks that route non-normalized requests. Organizations using vulnerable Shiro versions in web applications are at risk.
💻 Affected Systems
- Apache Shiro
📦 What is this software?
Shiro by Apache
Shiro by Apache
Shiro by Apache
⚠️ Risk & Real-World Impact
Worst Case
Complete authentication bypass leading to unauthorized access to protected resources, potential data exfiltration, and full system compromise.
Likely Case
Authentication bypass allowing access to restricted application functionality and sensitive data.
If Mitigated
Limited impact with proper network segmentation, additional authentication layers, and request validation.
🎯 Exploit Status
Exploitation requires knowledge of protected endpoints but path traversal techniques are well-documented and easy to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apache Shiro 1.12.0+ or 2.0.0-alpha-3+
Vendor Advisory: https://lists.apache.org/thread/mbv26onkgw9o35rldh7vmq11wpv2t2qk
Restart Required: Yes
Instructions:
1. Identify all applications using Apache Shiro. 2. Update Shiro dependency to version 1.12.0 or higher. 3. Rebuild and redeploy affected applications. 4. Restart application servers.
🔧 Temporary Workarounds
Request Normalization Filter
allImplement a servlet filter to normalize all incoming request paths before they reach Shiro.
Implement custom servlet filter to canonicalize request URIs using java.io.File.getCanonicalPath() or similar methods
Web Server Path Normalization
linuxConfigure web servers (Apache, Nginx) to normalize URLs before passing to application.
Nginx: location ~* \.(jsp|do|action)$ { try_files $uri $uri/ =404; }
Apache: Use mod_rewrite to normalize paths
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block path traversal patterns
- Add additional authentication layer (API gateway, reverse proxy) with strict path validation
🔍 How to Verify
Check if Vulnerable:
Check application dependencies for Apache Shiro version (e.g., pom.xml for Maven, build.gradle for Gradle, or examine deployed JAR files).Check Version:
For Maven: mvn dependency:tree | grep shiro | For deployed JAR: java -jar shiro-core-*.jar (check manifest) or unzip -p shiro-core-*.jar META-INF/MANIFEST.MF | grep Implementation-VersionVerify Fix Applied:
Verify Shiro version is 1.12.0 or higher in dependency files and deployed application libraries.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful access to protected resources
- Unusual request patterns with ../ or encoded path traversal sequences
- Access to admin/restricted endpoints from unexpected IPs
Network Indicators:
- HTTP requests containing path traversal sequences (../, ..\, %2e%2e%2f)
- Requests to protected endpoints without proper authentication headers
SIEM Query:
source="web_logs" AND (uri="*../*" OR uri="*%2e%2e%2f*" OR uri="*..\\*") AND response_code=200🔗 References
- http://www.openwall.com/lists/oss-security/2023/07/24/4
- https://lists.apache.org/thread/mbv26onkgw9o35rldh7vmq11wpv2t2qk
- https://security.netapp.com/advisory/ntap-20230915-0005/
- http://www.openwall.com/lists/oss-security/2023/07/24/4
- https://lists.apache.org/thread/mbv26onkgw9o35rldh7vmq11wpv2t2qk
- https://security.netapp.com/advisory/ntap-20230915-0005/
