Security Patch - September, 2023

Apache Shiro

A vulnerability has been identified in the Apache Shiro library before version 1.12.0, tracked under the following reference: CVE-2023-34478.

This vulnerability, in the library managing the authentication to the tools (Apache Shiro), could potentially allow an attacker to bypass authentication to the tools section. It is also used to prevent direct accesses to .jsp, also any *.raw or *.raw.ajax resources This vulnerability is present in all Jahia 7 and Jahia 8 versions.

No attack vector is known by Jahia for these versions. However we strongly advise you to update the Shiro library by following the below procedure, in case an attack vector for this vulnerability becomes public.

A good practice is to block the access to the tools section from outside of your organization (c.f. Mitigation), as external attackers would not be able to access the tools features using this vulnerability.

CSRF - Cross-Site Request Forgery

Jahia has been found to be exposed to CSRF attacks on some of its endpoints.

CSRF attacks rely on an attacker redirecting an authenticated Jahia user to a specially crafted page aimed at performing malicious activities under that user's privileges.

These URLs were identified via a bug bounty program, there is no known public exploits (nor existing CVEs), nevertheless, we strongly recommend applying the patch as soon as possible.

GraphQL

A vulnerability has been found in which an authenticated user could, by mean of a particular GraphQL mutation, access data outside of his/her privileges.

Impacted versions

All Jahia 8 versions are impacted, and shall be patched
All Jahia 7 versions are also impacted:
- The Shiro library can be patched
- Mitigations are provided for the CSRF vulnerabilities

Jahia 8.1.6.1 does integrate a patch for all these vulnerabilities. How to upgrade.

Addressing the attack vectors

Jahia 8.1.2+

The following procedure applies to Jahia 8.1.2 and higher

Note for Jahia Cloud customers: the following patches will be automatically applied

In the following procedure, <current-jahia-version> is the current Jahia version installed. <target-jahia-version> will be :

8.1.2.4 if you're running 8.1.2.x
8.1.3.2 if you're running 8.1.3.x
8.1.5.2 if you're running 8.1.5.x
8.1.6.1 if you're running 8.1.6.0

The procedure needs to be applied on each cluster node in your Jahia 8 environment. It is however not necessary to shut down the entire cluster, and proceed using a rolling restart (stop a node, apply the patch and restart the node while the other cluster nodes are up and running).

Download the artifacts

Download the artifacts corresponding to your target jahia version.
- For Jahia 8.1.2.4
  - jahia-impl-8.1.2.4.jar (MD5: a066f245edc9396547d1f785ce834d0a)
  - (optional) org.jahia.bundles.provisioning-8.1.2.4.jar (MD5: ec9daf8ee88c12f09a16e940482301dc)
  - (optional) org.jahia.bundles.jcrcommands-8.1.2.4.jar (MD5: 5d503fd3f615dcf947a68dbe34aab6a0)
- For Jahia 8.1.3.2
  - jahia-impl-8.1.3.2.jar (MD5: bd7953924033be473c23071944d42860)
  - (optional) org.jahia.bundles.provisioning-8.1.3.2.jar (MD5: ff3fcd263181f1f3064a2cd426b8f93a)
  - (optional) org.jahia.bundles.jcrcommands-8.1.3.2.jar (MD5: 9977ff57f54fa170ccfd3ba9e0fde47c)
- For Jahia 8.1.5.2
  - jahia-impl-8.1.5.2.jar (MD5: b5a6b09c8c08d17bc142e31b80801cf2)
  - (optional) org.jahia.bundles.provisioning-8.1.5.2.jar (MD5: 578b09a52557996a9d454947f904c343)
  - (optional) org.jahia.bundles.jcrcommands-8.1.5.2.jar (MD5: 6cf11ad335d24b0af0034231a1d64721)
- For Jahia 8.1.6.1
  - jahia-impl-8.1.6.1.jar (MD5: 2708d4adaaa9fa7bd4bc24cfae72da68)
  - (optional) org.jahia.bundles.provisioning-8.1.6.1.jar (MD5: 4cf587cad168abf6525b43c26888c7d9)
  - (optional) org.jahia.bundles.jcrcommands-8.1.6.1.jar (MD5: 8d043b416a22522c116e76576d094290)

If your Jahia instance does not have access to the Internet (not able to communicate with Jahia's maven repository), optional downloads are available for adding these artifacts manually. If your Jahia instance does have access to the Internet, these artifacts will be downloaded automatically when executing the commands provided below.

Download the shiro-1.12.0.zip (MD5: c35aa6e17db7eccf4f8aeff2e7b4531f) file, and extract it, as it contains the shiro libraries to update.

Address Shiro and GraphQL vulnerabilties

On your local machine (not on the Jahia server), create a script called 1.modules.beforeContextInitializing.groovy containing the following content:


import org.apache.commons.io.FileUtils
import org.jahia.settings.SettingsBean

log.info("*** Cleaning all previous bundles and instructing for modules reinstallation ***")
def file = new File(SettingsBean.getInstance().getJahiaVarDiskPath() + "/bundles-deployed")
FileUtils.deleteQuietly(file)
FileUtils.touch(new File(SettingsBean.getInstance().getJahiaVarDiskPath(), "[persisted-bundles].dorestore"))
FileUtils.touch(new File(SettingsBean.getInstance().getJahiaVarDiskPath(), "[persisted-configurations].dorestore"))

Stop your server / cluster node
In tomcat/webapps/ROOT/WEB-INF/lib:
- Replace jahia-impl-<current-jahia-version>.jar by jahia-impl-<target-jahia-version>.jar
- Remove all shiro*.jar lib files
- Copy the following shiro files from the ZIP you downloaded previously and into the folder:
  - shiro-cache-1.12.0.jar
  - shiro-config-core-1.12.0.jar
  - shiro-config-ogdl-1.12.0.jar
  - shiro-core-1.12.0.jar
  - shiro-crypto-cipher-1.12.0.jar
  - shiro-crypto-core-1.12.0.jar
  - shiro-crypto-hash-1.12.0.jar
  - shiro-event-1.12.0.jar
  - shiro-lang-1.12.0.jar
  - shiro-spring-1.12.0.jar
  - shiro-web-1.12.0.jar
In digital-factory-data/karaf/etc/custom.properties file
- Replace all mentions of org.apache.shiro* from 1.X.0 to 1.12.0
- For example:
  - ```
  org.apache.shiro;version=\"1.10.0\",\
  org.apache.shiro.aop;version=\"1.10.0\",\
  org.apache.shiro.authc;version=\"1.10.0\",\
```
- Should be replaced by:
- ```
org.apache.shiro;version=\"1.12.0\",\
org.apache.shiro.aop;version=\"1.12.0\",\
org.apache.shiro.authc;version=\"1.12.0\",\
```
  - The example above is not exhaustive, it should contain about 60 lines to update. Be careful not to bulk update 1.10.0 to 1.12.0 as there might be libraries other than Shiro in version 1.10.0.
Copy the script 1.modules.beforeContextInitializing.groovy from your local machine to the folder digital-factory-data/patches/groovy/ on the Jahia server.
Restart your server / cluster node

Address CSRF vulnerabilities

If your Jahia server(s) has access to the Internet:
- Execute the following Karaf commands using the Karaf shell with SSH (do not forget to replace <target-jahia-version> and <current-jahia-version>). Do not use the Karaf command line tool available via /modules/tools.
  - bundle:install -l 30 mvn:org.jahia.bundles/org.jahia.bundles.provisioning/<target-jahia-version> mvn:org.jahia.bundles/org.jahia.bundles.jcrcommands/<target-jahia-version>
  - bundle:uninstall org.jahia.bundles.provisioning/<current-jahia-version> org.jahia.bundles.jcrcommands/<current-jahia-version>
  - bundle:start org.jahia.bundles.provisioning/<target-jahia-version> org.jahia.bundles.jcrcommands/<target-jahia-version>
- These commands will download, install and start the newer version of the jcrcommands and provisioning bundles.
If your Jahia server(s) does not have access to the internet:
- Copy the two files org.jahia.bundles.provisioning-<target-jahia-version>.jar and org.jahia.bundles.jcrcommands-<target-jahia-version>.jar downloaded previously to your Jahia server in a path accessible by the Jahia process. For the purpose of these instructions, we will use /tmp.
- Execute the following Karaf commands using the Karaf shell with SSH (do not forget to replace <target-jahia-version> and <current-jahia-version>). Do not use the Karaf command line tool available via /modules/tools.
  - bundle:install file:/tmp/org.jahia.bundles.provisioning-<target-jahia-version>.jar file:/tmp/org.jahia.bundles.jcrcommands-<target-jahia-version>.jar
  - bundle:uninstall org.jahia.bundles.provisioning/<current-jahia-version> org.jahia.bundles.jcrcommands/<current-jahia-version>
  - bundle:start org.jahia.bundles.provisioning/<target-jahia-version> org.jahia.bundles.jcrcommands/<target-jahia-version>
- These commands will install and start the newer version of the jcrcommands and provisioning bundles.
- You can then delete these two files from your temporary folder ( /tmp in these instructions)

Customers using docker images for their production environment can contact Jahia Support for instructions on how to address the vulnerability.

Jahia 8.1.1 and lower

Customers running Jahia 8 versions 8.1.1 and lower need to upgrade to at least Jahia 8.1.2.3 and apply the above procedure.

We recommend to regularly upgrade Jahia to benefit from the security related fixes and improvement provided in every Jahia release.

Jahia 7.x

As Jahia 7.3 is not maintained anymore, we highly recommend upgrading to Jahia 8 and apply the above procedure.

Verifying the library upgrade

CSRF and GraphQL exposure

To verify the library upgrade, and that you are fully protected against known vulnerabilities, you simply need to access the tools and verify that the new version of jahia-impl is the one in use. To do so, open the Groovy console in the tools (/modules/tools/groovyConsole.js) and execute the following Groovy script, which will display the jahia-impl version in use:

Class jahiaClass = org.jahia.bin.Jahia.class;
String classPath = jahiaClass.getResource(jahiaClass.getSimpleName() + ".class").toString(); 
println("Lib: " + classPath.substring(0, classPath.lastIndexOf("!")));

You can also check the bundles versions in the karaf shell with the following commands :

la org.jahia.bundles.provisioning la org.jahia.bundles.jcrcommands

Apache Shiro update

Verify that Apache Shiro 1.12.0 is the version in use, open the Groovy console in the tools (/modules/tools/groovyConsole.js) and execute the following Groovy script, which will display the Shiro version in use:

Class shiroClass = org.apache.shiro.SecurityUtils.getSubject().getClass();
String classPath = shiroClass.getResource(shiroClass.getSimpleName() + ".class").toString(); 
println("Lib: " + classPath.substring(0, classPath.lastIndexOf("!")));

Mitigation

Apache Shiro < 1.12.0

It is advised to block the access to the tools from outside your organization. This can be achieved, for example, by using a proxy (HAProxy, Apache2, etc.) and the following regular expression to detect the sensitive URLs to block:

.+modules.+tools.+

Please note that this is only a means of mitigation as it prevents people from outside of your organization from exploiting such vulnerability to access the tools. In any case, it does not replace the need of upgrading to Shiro 1.12.0.

CSRF

It is advised to block the access to the vulnerable endpoints. This can be achieved, for example, by using a proxy (HAProxy, Apache2, etc.) and the following regular expression to detect the sensitive URLs to block:

.+modules/api/provisioning.+
.+modules/api/commands.+
.+gwt/fileupload.+

Please note that this is only a means of mitigation as it prevents people from exploiting such vulnerability. In any case, it does not replace the need of applying the patches documented in this page.

GraphQL

There is no identified mitigation for the GraphQL vulnerability, it is recommended to apply the patch as soon as possible.

Please do not hesitate to reach out to Jahia Support if you have any questions or concerns.