CVE-2022-32532: Apache Shiro RegexRequestMatcher Vulnerability May Allow Authorization Bypass in Certain Servlet Containers

A new security vulnerability has been discovered and assigned CVE-2022-32532 in Apache Shiro, a popular Java security framework that provides authentication, authorization, and session management functionality. The vulnerability affects Shiro versions prior to 1.9.1 and may allow an attacker to bypass authorization checks in certain servlet containers by misconfiguring a RegexRequestMatcher.

What is RegexRequestMatcher, and how does it work in Apache Shiro?
In Apache Shiro, RegexRequestMatcher is a component used to evaluate if a given request matches a specified regular expression. When Shiro is configured to use RegexRequestMatcher, it uses the regular expression provided by the developer to determine whether a request should be granted or denied based on its URI pattern. RegexRequestMatcher is often used to define access control rules for web applications in a concise and flexible way.

How does the vulnerability work, and why is it dangerous?
The CVE-2022-32532 vulnerability is related to a misconfiguration of the RegexRequestMatcher when the period character (.) is included in the regular expression, making it more permissive than intended. In certain servlet containers, attackers can bypass authorization checks and gain unauthorized access to protected resources by crafting URLs that evade the affected RegexRequestMatcher pattern. This security vulnerability poses significant risks to web applications that rely on Apache Shiro for their authorization mechanisms.

Here's an example of the vulnerable configuration in the shiro.ini file

[urls]
/api/v1/users/.* = authc, roles[admin]

The above configuration attempts to grant access to /api/v1/users/* only to authenticated users with the 'admin' role. However, a malicious user might bypass this authorization check by sending a request to /api/v1/users/%2e* (where %2e is the URL-encoded period character).

The targeted servlet container allows crafted URLs to bypass the regular expression

For a successful attack, the malicious user needs to craft a URL that combines all these factors.

Original references

The CVE-2022-32532 vulnerability was initially reported and analyzed by security researchers and Apache Shiro team members. Detailed information about the vulnerability, its impact, and the affected versions can be found in the following resources:

- Apache Shiro Security Bulletin: https://shiro.apache.org/security/CVE-2022-32532.html
- NIST National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2022-32532
- GitHub Issue: https://github.com/apache/shiro/issues/287

How to remediate the vulnerability?
Developers are encouraged to upgrade their Apache Shiro installation to the latest version (1.9.1 or later) as soon as possible to mitigate the risks associated with CVE-2022-32532. Additionally, it is essential to review the regular expressions used in the RegexRequestMatcher configurations to ensure that they are not unnecessarily permissive and correctly enforce desired access control rules.

If upgrading to the latest version of Apache Shiro is not feasible, temporarily consider replacing the affected RegexRequestMatcher patterns with more appropriate matchers, such as AntPathRequestMatcher, to help protect against the vulnerability.

Timeline

Published on: 06/29/2022 00:15:00 UTC
Last modified on: 07/08/2022 01:24:00 UTC