CVE-2016-4437
Published: 07 June 2016
Summary
CVE-2016-4437 is a critical-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Apache Aurora. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-12 (Cryptographic Key Establishment and Management).
Deeper analysis
Apache Shiro versions prior to 1.2.5 are affected by a vulnerability in the "remember me" feature that activates when no cipher key has been explicitly configured. The flaw, tracked under CVE-2016-4437 with a CVSS score of 9.8, permits remote attackers to supply an unspecified request parameter that leads to arbitrary code execution or bypass of access controls. The issue is also associated with CWE-321 regarding use of hard-coded cryptographic keys.
Unauthenticated remote attackers can target any Shiro-based application that relies on the remember-me functionality without a custom key, achieving full compromise of the affected system or unauthorized access to protected resources. Public exploit code demonstrating both information disclosure and remote code execution against version 1.2.4 has been published.
Red Hat addressed the vulnerability through errata RHSA-2016-2035 and RHSA-2016-2036, while additional technical details and proof-of-concept material appear in PacketStorm and SecurityFocus archives.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-4711
Vulnerability details
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires proper cryptographic key establishment and management, preventing use of hard-coded or absent cipher keys in Shiro's remember-me feature.
Enforces access control decisions so that an unauthenticated attacker cannot bypass restrictions or execute arbitrary code via a forged remember-me parameter.
Requires secure management of authenticators, including the cryptographic material protecting persistent remember-me tokens.