Security Patch - November 2021

We have recently identified a vulnerability in the library managing the authentication to the tools (Apache Shiro) allowing an attacker, by submitting a specially crafted query, to bypass authentication to the tools section. This vulnerability is present in all versions for Jahia 7 before Jahia 7.3.6, in Jahia 8.0.0 and in Jahia 8.0.1. If you are using these version, we strongly advise you to upgrade to the latest 7.3 or 8 version. If you cannot perform such upgrade quickly, you can update the Shiro library by following the below procedure.

Jahia 7.3.6, 7.3.7 and Jahia 8.0.2 benefit from a higher version of this Shiro library, 1.6.0, protecting it from the discovered vulnerability. No exploitable vulnerability is known by Jahia for these versions. However, be aware that this Shiro library has also been updated to version 1.7.1 in Jahia 7.3.8 and 8.0.3 for security reasons. The following procedure is applicable for Jahia 7.3.6, 7.3.7 and 8.0.2 as well, if you want to upgrade the Shiro library before being able to upgrade Jahia to the latest version.

Jahia versions 7.3.8 and higher, as well as 8.0.3 and higher, are not affected and no actions are required.

Upgrading the Shiro library

When applying the patch on a cluster, it is not necessary to stop all the nodes at once. You can proceed node by node, starting with the processing one, in order to keep your sites available online. But you need to repeat the procedure on all nodes.

1. Download the shiro-1.7.1.zip (MD5: 674bf06dc7f6a9b4a3fe326a6a20feee) file, and extract it, as it contains the shiro libraries to update
2. Download the configuration file corresponding to your Jahia version:
   1. applicationcontext-override-security.xml (MD5: 18ef4863c4e6b582cfc50c8edde003c3) for Jahia 7.x and 8.0.0
   2. applicationcontext-override-security-v8.xml (MD5: a46ad3f7c0261ca4ca3f464aaba70bd0) for Jahia 8.0.1 and 8.0.2
3. Make sure to have a proper backup
4. Stop tomcat
5. Remove all shiro*.jar lib files from the tomcat/webapps/ROOT/WEB-INF/lib folder
6. Add the following ones into the tomcat/webapps/ROOT/WEB-INF/lib folder
   1. encoder-1.2.3.jar
   2. shiro-cache-1.7.1.jar
   3. shiro-config-core-1.7.1.jar
   4. shiro-config-ogdl-1.7.1.jar
   5. shiro-core-1.7.1.jar
   6. shiro-crypto-cipher-1.7.1.jar
   7. shiro-crypto-core-1.7.1.jar
   8. shiro-crypto-hash-1.7.1.jar
   9. shiro-event-1.7.1.jar
   10. shiro-lang-1.7.1.jar
   11. shiro-spring-1.7.1.jar
   12. shiro-web-1.7.1.jar
7. Copy the applicationcontext-override-security-*.xml file in the digital-factory-config/jahia/ directory
   1. applicationcontext-override-security.xml for for Jahia 7.x and 8.0.0
   2. applicationcontext-override-security-v8.xml for Jahia 8.0.1 and Jahia 8.0.2
8. Start tomcat

Verifying the library upgrade

To verify the library upgrade, and that you are fully protected against known vulnerabilities, you simply need to access the tools and verify that the version 1.7.1 of shiro is the one in use. To do so, open the Groovy console in the tools  (/modules/tools/groovyConsole.js) and execute the following Groovy script, which will display the shiro version in use:

Class shiroClass = org.apache.shiro.SecurityUtils.getSubject().getClass();
String classPath = shiroClass.getResource(shiroClass.getSimpleName() + ".class").toString(); 
println("Lib: " + classPath.substring(0, classPath.lastIndexOf("!"))); 

Mitigation

It is advised to block the access to the tools from outside your organization. This can be achieved, for example, by using a proxy (HAProxy, Apache2, etc.) and the following regular expression to detect the sensitive URLs to block:

.+modules.+tools.+

Please note that is only a mitigation mean as it prevents people from outside of your organization from exploiting such vulnerability. In any case, it does not replace the need of upgrading to the latest Jahia versions or to Shiro 1.7.1.