Vulnerability-scanning and management is one of the most important topics in IT-security and unfortunately most companies forget or even dont know about it. Recently the US agency CISA published a list of 292 known exploited critical vulnerabilities and a binding operational directive 22-01, which forces US institutions to patch/fix/mitigate the vulnerabilites of the list within 15 or 30 days.
However the vulnerability-scanner-vendors Qualys and Tenable both do not detect the critical rce vulnerability CVE-2016-4437 in apache shiro, or at least not yet:
- Qualys on 07th of November 2021:
- Tenable on 07th of November 2021:
Both vendors have been contacted, maybe they'll add the signature for the critical vulnerability.
Qualys also has published a dashboard for the binding operational directive 22-01: https://blog.qualys.com/vulnerabilities-threat-research/2021/11/08/qualys-response-to-cisa-alert-binding-operational-directive-22-01
Offtopic PS: I'm a bit excited that a CVE is on the list or CISA, which I reported :-)