You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by zh0122 <zh...@gmail.com> on 2021/04/25 01:25:10 UTC
Re: Ask help for upgrading Shiro in CDH platform to 1.7.1
could any one help to check this?
Thanks
zh0122 <zh...@gmail.com> 于2021年4月22日周四 下午3:17写道:
> Hello,
>
> As the Shiro has a bug CVE-2020-17523:
>>
>> Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a
>> specially crafted HTTP request may cause an authentication bypass.
>
>
> We use the CDH platform which integrating Shiro in the lib, but we has no
> source code of the CDH platform.
> For security reasons, we plan to upgrade the shiro-*.jar in the CDH libs.
>
> - Is there any suggestions about it?
> - Could I only replace the jars in the lib directory?
> - Is there any API change between 1.2.3 and 1.7.1 (1.4.0 and 1.7.1)?
> - If I replace the 1.7.1 jars into the directory, is thers any
> compatibility issue?
>
> Below is the list of Shiro in the installed CDH platform.
>
>>
>> /opt/cloudera/parcels/CDH-5.16.1-1.cdh5.16.1.p0.3/jars/shiro-core-1.2.3.jar
>>
>> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-cache-1.4.0.jar
>>
>> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-config-core-1.4.0.jar
>>
>> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-config-ogdl-1.4.0.jar
>>
>> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-core-1.4.0.jar
>>
>> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-crypto-cipher-1.4.0.jar
>>
>> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-crypto-core-1.4.0.jar
>>
>> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-crypto-hash-1.4.0.jar
>>
>> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-event-1.4.0.jar
>>
>> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-lang-1.4.0.jar
>>
>
> Thanks
> BRs
>
Re: Ask help for upgrading Shiro in CDH platform to 1.7.1
Posted by Brian Demers <br...@gmail.com>.
You can try to upgrade the jars, but I’d recommend contacting the vendor and get them to upgrade the parcel.
-Brian
> On Apr 24, 2021, at 9:25 PM, zh0122 <zh...@gmail.com> wrote:
>
> could any one help to check this?
>
> Thanks
>
> zh0122 <zh...@gmail.com> 于2021年4月22日周四 下午3:17写道:
>
>> Hello,
>>
>> As the Shiro has a bug CVE-2020-17523:
>>>
>>> Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a
>>> specially crafted HTTP request may cause an authentication bypass.
>>
>>
>> We use the CDH platform which integrating Shiro in the lib, but we has no
>> source code of the CDH platform.
>> For security reasons, we plan to upgrade the shiro-*.jar in the CDH libs.
>>
>> - Is there any suggestions about it?
>> - Could I only replace the jars in the lib directory?
>> - Is there any API change between 1.2.3 and 1.7.1 (1.4.0 and 1.7.1)?
>> - If I replace the 1.7.1 jars into the directory, is thers any
>> compatibility issue?
>>
>> Below is the list of Shiro in the installed CDH platform.
>>
>>>
>>> /opt/cloudera/parcels/CDH-5.16.1-1.cdh5.16.1.p0.3/jars/shiro-core-1.2.3.jar
>>>
>>> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-cache-1.4.0.jar
>>>
>>> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-config-core-1.4.0.jar
>>>
>>> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-config-ogdl-1.4.0.jar
>>>
>>> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-core-1.4.0.jar
>>>
>>> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-crypto-cipher-1.4.0.jar
>>>
>>> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-crypto-core-1.4.0.jar
>>>
>>> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-crypto-hash-1.4.0.jar
>>>
>>> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-event-1.4.0.jar
>>>
>>> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-lang-1.4.0.jar
>>>
>>
>> Thanks
>> BRs
>>