Apache Shiro patch

Owned by Luna
Last updated: Nov 23, 2020
1 min read

If you have not upgraded to LUNA 7.5.0.8+ then you should apply this patch.

We discovered a vulnerability that should be patched as soon as possible. This patch works for all LUNA 7 instances. 

There have been a couple of reports that indicated a server was used to do crypto mining. Specifically a program called xmrig has been found running on these servers. They seem to place a folder called c3pool in the users home directory and run the program from this location. The user seems to need sudo privileges for this to work. A vulnerability in a software framework Apache Shiro was exploited to affect these servers. You just need to update the Apache Shiro jar files to block this vulnerability. 

Step-by-step guide

  1. Delete the old shiro jars from the following locations ~/LunaImaging/7.x/LUNA/tomcat/luna_apps/
    luna.war/WEB-INF/lib/shiro-*
    uploader.war/WEB-INF/lib/shiro-*
    webadmin.war/WEB-INF/lib/shiro-*
    las.war/WEB-INF/lib/shiro-*
    editor.war/WEB-INF/lib/shiro-*
  2. Add: shiro-all-1.2.6.jar to each of the above lib folders

You can download the file here https://shiro.apache.org/download.html#1.2.xBinary

This direct link might work as well https://repo1.maven.org/maven2/org/apache/shiro/shiro-all/1.2.6/shiro-all-1.2.6.jar

      3. Restart LUNA's tomcat