📄 Description (English)
Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute.
This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.
Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.
In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default.
🤖 AI Executive Summary
Apache Shiro versions 1.0 through 2.1.0 and 3.0.0-alpha-1 fail to set the 'Secure' attribute on session cookies (JSESSIONID and rememberMe), allowing potential interception over unencrypted connections. This cookie security misconfiguration could enable attackers to capture sensitive session tokens if HTTPS is downgraded or compromised. While CVSS is moderate (6.5), the vulnerability affects authentication mechanisms critical to enterprise applications deployed across Saudi organizations.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 28, 2026 16:54
🇸🇦 Saudi Arabia Impact Assessment
High impact for Saudi banking sector (SAMA-regulated institutions) relying on Shiro for authentication frameworks. Government agencies (NCA oversight) using Shiro in identity management systems face session hijacking risks. Healthcare organizations (MOH) and energy sector (ARAMCO, SEC) deploying Shiro-based applications could experience unauthorized access to sensitive operational systems. Telecom providers (STC, Mobily) using Shiro for customer authentication portals are at risk of credential compromise. The vulnerability is particularly critical in Saudi Arabia's digital transformation initiatives where HTTPS is assumed secure but cookie attributes are not properly configured.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare
Energy and Utilities
Telecommunications
E-commerce and Retail
Education
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all Apache Shiro deployments in your environment (versions 1.0-2.1.0, 3.0.0-alpha-1)
2. Audit current cookie configurations for JSESSIONID and rememberMe attributes
3. Review access logs for potential cookie interception attempts
PATCHING GUIDANCE:
1. Upgrade to Apache Shiro 2.1.1 or 3.0.0-alpha-2 or later immediately
2. For applications unable to patch immediately, implement manual configuration:
- Set 'secure' attribute to 'true' in session manager configuration
- Configure: sessionManager.sessionIdCookie.secure = true
- Configure: rememberMeManager.cookie.secure = true
3. Ensure HTTPS is enforced site-wide with HSTS headers
COMPENSATING CONTROLS (if patching delayed):
1. Implement HTTP Strict-Transport-Security (HSTS) headers with max-age minimum 31536000
2. Deploy WAF rules to enforce HTTPS-only cookie transmission
3. Monitor for cookie exfiltration in network traffic
4. Implement certificate pinning for critical applications
5. Use secure proxy/load balancer to enforce cookie security attributes
DETECTION RULES:
1. Monitor for JSESSIONID/rememberMe cookies transmitted over HTTP
2. Alert on Set-Cookie headers lacking 'Secure' attribute in responses
3. Track authentication failures following suspicious cookie activity
4. Log all Shiro configuration changes
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع نشرات Apache Shiro في بيئتك (الإصدارات 1.0-2.1.0، 3.0.0-alpha-1)
2. تدقيق تكوينات ملفات تعريف الارتباط الحالية لخصائص JSESSIONID و rememberMe
3. مراجعة سجلات الوصول للكشف عن محاولات اعتراض ملفات تعريف الارتباط المحتملة
إرشادات التصحيح:
1. الترقية إلى Apache Shiro 2.1.1 أو 3.0.0-alpha-2 أو إصدار أحدث فوراً
2. للتطبيقات غير القادرة على التصحيح فوراً، تنفيذ التكوين اليدوي:
- تعيين خاصية 'secure' إلى 'true' في تكوين مدير الجلسة
- التكوين: sessionManager.sessionIdCookie.secure = true
- التكوين: rememberMeManager.cookie.secure = true
3. التأكد من فرض HTTPS في جميع أنحاء الموقع مع رؤوس HSTS
الضوابط البديلة (إذا تأخر التصحيح):
1. تنفيذ رؤوس HTTP Strict-Transport-Security (HSTS) بحد أدنى max-age 31536000
2. نشر قواعد WAF لفرض نقل ملفات تعريف الارتباط الآمنة فقط
3. مراقبة تسرب ملفات تعريف الارتباط في حركة المرور
4. تنفيذ تثبيت الشهادات للتطبيقات الحرجة
5. استخدام وكيل آمن/موازن تحميل لفرض خصائص أمان ملفات تعريف الارتباط
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Information security policies and procedures
ECC 2024 A.6.2.1 - User registration and access rights management
ECC 2024 A.8.2.3 - Segregation of duties
ECC 2024 A.9.2.1 - User access management
ECC 2024 A.10.1.1 - Cryptography policy
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Software inventory and configuration management
SAMA CSF PR.AC-1 - Access control policy and procedures
SAMA CSF PR.DS-2 - Data-in-transit protection
SAMA CSF DE.CM-1 - Network monitoring and anomaly detection
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access control
ISO 27001:2022 A.8.24 - Cryptography
ISO 27001:2022 A.8.25 - Secure development life cycle
ISO 27001:2022 A.8.32 - Change management
🟣 PCI DSS v4.0.1
PCI DSS 2.2.4 - Configure system security parameters
PCI DSS 4.1 - Render PAN unreadable anywhere it is stored
PCI DSS 6.5.10 - Broken authentication and session management
📦 Affected Products / CPE 2 entries
apache:shiro
apache:shiro:3.0.0