You can try to upgrade the jars, but I’d recommend contacting the vendor and get them to upgrade the parcel.
-Brian > On Apr 24, 2021, at 9:25 PM, zh0122 <[email protected]> wrote: > > could any one help to check this? > > Thanks > > zh0122 <[email protected]> 于2021年4月22日周四 下午3:17写道: > >> Hello, >> >> As the Shiro has a bug CVE-2020-17523: >>> >>> Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a >>> specially crafted HTTP request may cause an authentication bypass. >> >> >> We use the CDH platform which integrating Shiro in the lib, but we has no >> source code of the CDH platform. >> For security reasons, we plan to upgrade the shiro-*.jar in the CDH libs. >> >> - Is there any suggestions about it? >> - Could I only replace the jars in the lib directory? >> - Is there any API change between 1.2.3 and 1.7.1 (1.4.0 and 1.7.1)? >> - If I replace the 1.7.1 jars into the directory, is thers any >> compatibility issue? >> >> Below is the list of Shiro in the installed CDH platform. >> >>> >>> /opt/cloudera/parcels/CDH-5.16.1-1.cdh5.16.1.p0.3/jars/shiro-core-1.2.3.jar >>> >>> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-cache-1.4.0.jar >>> >>> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-config-core-1.4.0.jar >>> >>> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-config-ogdl-1.4.0.jar >>> >>> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-core-1.4.0.jar >>> >>> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-crypto-cipher-1.4.0.jar >>> >>> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-crypto-core-1.4.0.jar >>> >>> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-crypto-hash-1.4.0.jar >>> >>> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-event-1.4.0.jar >>> >>> /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/shiro-lang-1.4.0.jar >>> >> >> Thanks >> BRs >>
