CVE-2021-41303 Apache Shiro < 1.8.0 Authentication Bypass WCC 11.3.6
Article ID: 243751
Updated On:
Products
Issue/Introduction
Hello, We are getting reports of a new security finding from our Nessus scans.
This relates to our WCC Servers in all our environments.
Nessus recommends to "Upgrade to Apache Shiro 1.8.0 or later." Is this possible?
If so what would be the process to update this portion of WCC.
I have included the information from Nessus below.
| CVE-2021-41303 | 7.5 | Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. |
Apache Shiro < 1.8.0 Authentication Bypass | Microsoft Windows Server 2016 Datacenter | Path : H:\CA\Workload Control Center\tomcat\webapps\asi\WEB-INF\lib\shiro-core-1.3.2.jar Installed version : 1.3.2 Fixed version : 1.8.0 Path : H:\CA\Workload Control Center\tomcat\webapps\asi\WEB-INF\lib\shiro-ehcache-1.3.2.jar Installed version : 1.3.2 Fixed version : 1.8.0 Path : H:\CA\Workload Control Center\tomcat\webapps\asi\WEB-INF\lib\shiro-web-1.3.2.jar Installed version : 1.3.2 Fixed version : 1.8.0 |
0 | TCP | Critical | Upgrade to Apache Shiro 1.8.0 or later. | A Java security framework is affected by an authentication bypass vulnerability. |
Environment
Autosys 11.3.6
WORKLOAD CONTROL CENTER
WCC
Resolution
This vulnerability can be exploited when used along with the spring boot application.
However, in the case of Agent inventory spring boot application isn't used and specifically the way it can be exploited.
WCC is not impacted by this CVE.
https://nvd.nist.gov/vuln/detail/CVE-2021-41303
https://www.cve.org/CVERecord?id=CVE-2021-41303
Apache Shiro will be upgraded to 1.8 in AutoSys 12.1.
Feedback
