[
https://issues.apache.org/jira/browse/SHIRO-721?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16976870#comment-16976870
]
Francois Papon commented on SHIRO-721:
--------------------------------------
Fixed with the latest 1.4.2 release.
[~loop09] please avoid opening issue in Jira for security issues (because Jira
is public) and use [[email protected]|mailto:[email protected]]
mailing list:
[https://www.apache.org/security/committers.html]
Thanks!
> RememberMe Padding Oracle Vulnerability
> ---------------------------------------
>
> Key: SHIRO-721
> URL: https://issues.apache.org/jira/browse/SHIRO-721
> Project: Shiro
> Issue Type: Bug
> Components: RememberMe
> Affects Versions: 1.2.5, 1.2.6, 1.3.0, 1.3.1, 1.3.2, 1.4.0-RC2, 1.4.0,
> 1.4.1
> Reporter: loopx9
> Priority: Critical
> Labels: java-deserialization, padding-oracle-attack, security
> Original Estimate: 504h
> Remaining Estimate: 504h
>
> The cookie {color:#ff0000}rememberMe {color}is encrypted by AES-128-CBC mode,
> and this can be vulnerable to padding oracle attacks. Attackers can use a
> vaild rememberMe cookie as the {color:#ff0000}prefix{color} for the Padding
> Oracle Attack,then make a crafted rememberMe to perform the java
> deserilization attack like SHIRO-550.
> Steps to reproduce this issue:
> # Login in the website and get the rememberMe from the cookie.
> # Use the rememberMe cookie as the prefix for Padding Oracle Attack.
> # Encrypt a ysoserial's serialization payload to make a crafted rememberMe
> via Padding Oracle Attack.
> # Request the website with the new rememberMe cookie, to perform the
> deserialization attack.
> The attacker doesn't need to know the cipher key of the rememberMe encryption.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
