High vulnerability caused by Apache Shiro about apollo HOT 7 OPEN

Hi @nanjiangshu I know it's unfortunate but there are indeed a number of security alerts on the Apollo codebase right now that are reported by security scanners. I reported a security scan here from the grype tool here

#2640 (comment)

we took effort to remediate the log4j issue at the request of a user, but it took concerted effort, and it may be difficult to fix many of these issues because many of them come from the grails platform version that we use, and it is difficult to upgrade to the latest version of grails without changing a large amount of code

I don't have any specific recommendation for now but to be aware of this. we can leave this issue open, and if you would like to look into contributing any possible fixes, then we may be able to accept pull requests, though i know that is a big task

from apollo.

@cmdcolin Thanks for your quick reply and I understand you have a lot of similar issues to handle. We need to find a solution ourselves since the resource provider will shutdown all our deployed instances if the problem is not solved. Would it be possible we ask you some questions with the configuration of Apache Shiro in case we encounter problems?

from apollo.

certainly, let us know of any questions. there is some possibility the shiro could be upgraded to some patch version if that is the only one you need. see here for PR that updated the log4j version #2654

from apollo.

Hi @cmdcolin. Thanks for your tips. I tried to upgrade the Shiro version to 1.2.5 by changing the code at https://github.com/GMOD/Apollo/blob/develop/grails-app/conf/BuildConfig.groovy#L137. However, when building the Docker image, I received the following error.

| Error Resolve error obtaining dependencies: Could not find artifact org.grails.plugins:shiro:zip:1.2.5 in grailsCentral (https://repo.grails.org/grails/plugins) (Use --stacktrace to see the full trace)

Is there a way to provide a URL to grails so that it can find shiro verion 1.2.5?

from apollo.

i'm not sure what exactly shiro 1.2.5 is, i see only "1.2.1" here but not sure if we even use that https://repo.grails.org/ui/packages/gav:%2F%2Forg.grails.plugins:shiro?name=shiro&type=packages

my scan from https://gist.github.com/cmdcolin/df8e92fe3e82fb2856b5c08d90bf4a32 indicated various shiro subpackages were in use

is it shiro-core or something like that? package list https://repo.grails.org/ui/packages?name=shiro&type=packages

i will also note, your security scan noted that disabling remember me could be another alternative. not sure if that's easier or harder

from apollo.

As you pointed out, it seems grails plugin does not provide shiro version higher than 1.2.1. Although at the MavenCentral many newer versions of shiro are provided https://mvnrepository.com/artifact/org.grails/grails-plugin-servlets. I don't know how much work it required to let the BuildConfig to use shiro-core from maven and I probably don't have the time either.

It seems it is quite easy to disable the feature "RememberMe" and I will talk with the sysadmin if they accept this option.

from apollo.

Hello @nanjiangshu,

It seems it is quite easy to disable the feature "RememberMe" and I will talk with the sysadmin if they accept this option.

Were you able to disable this option in Apollo to address the vulnerability? If so, could you briefly describe how or point to relevant docs? I haven't been able to find any guidance in my search.

Many thanks.

from apollo.