Apache Shiro Deserialization RCE
Description
Apache Shiro is a Java security framework that provides authentication, authorization, cryptography, and session management capabilities. Versions prior to 1.2.5 contain a critical vulnerability in the "RememberMe" cookie functionality, which uses AES-128-CBC encryption with a hardcoded, publicly-known encryption key. This allows attackers to forge authenticated session cookies and exploit Java deserialization weaknesses to execute arbitrary code on the server.
Remediation
Immediately upgrade Apache Shiro to version 1.2.5 or later, which randomizes the cipher key and eliminates the hardcoded encryption key vulnerability.<br/><br/>If immediate upgrading is not possible, implement the following temporary mitigations:<br/><br/>1. Generate a custom AES encryption key in your application configuration:<br/><pre>// In shiro.ini or equivalent configuration [main] securityManager.rememberMeManager.cipherKey = YOUR_BASE64_ENCODED_KEY</pre><br/>2. Generate a secure random key using:<br/><pre>// Java code to generate a secure key import org.apache.shiro.codec.Base64; import org.apache.shiro.crypto.AesCipherService; AesCipherService cipherService = new AesCipherService(); Key key = cipherService.generateNewKey(); String base64Key = Base64.encodeToString(key.getEncoded()); System.out.println(base64Key);</pre><br/>3. Disable RememberMe functionality entirely if not required for your application.<br/>4. Implement network-level controls to restrict access to the application until patching is complete.