On August 17, 2020, Alibaba Cloud emergency response center detected that Apache Shiro had officially released a security update that fixed the latest authentication bypass vulnerability. Attackers can exploit this vulnerability to access the Shiro server after bypassing the authentication process.

Apache Shiro is a widely used framework for permission management and user authentication and authorization. The authentication bypass vulnerability (CVE-2020-11989) allows attackers to send malicious requests that contain payloads to bypass the authentication process. In Apache Shiro 1.5.3, some measures have been taken to fix this vulnerability. However, the vulnerability still exists in later versions because Apache Shiro and Spring frameworks process URL requests in different ways. On August 17, 2020, Apache Shiro released version 1.6.0. In this version, the vulnerability is fixed. Cloud Firewall has released a virtual patch to fix this vulnerability.

Impact scope: Apache Shiro versions earlier than 1.6.0

Risk level: high

Rule-based defense: A virtual patch is available in the Cloud Firewall console to defend against this vulnerability.

Rule type: others

Security suggestions:
  • Upgrade Apache Shiro to 1.6.0 or later.
  • Use the Intrusion Prevention feature of Cloud Firewall.