Apache Shiro Vulnerability RCE CVE-2016-4437 - not detected by Qualys and Tenable

Vulnerability-scanning and management is one of the most important topics in IT-security and unfortunately most companies forget or even dont know about it. Recently the US agency CISA published a list of 292 known exploited critical vulnerabilities and a binding operational directive 22-01, which forces US institutions to patch/fix/mitigate the vulnerabilites of the list within 15 or 30 days.

However the vulnerability-scanner-vendors Qualys and Tenable both do not detect the critical rce vulnerability CVE-2016-4437 in apache shiro, or at least not yet:

Both vendors have been contacted, maybe they'll add the signature for the critical vulnerability.

Qualys also has published a dashboard for the binding operational directive 22-01: https://blog.qualys.com/vulnerabilities-threat-research/2021/11/08/qualys-response-to-cisa-alert-binding-operational-directive-22-01


Offtopic PS: I'm a bit excited that a CVE is on the list or CISA, which I reported :-)

No comments:

Post a Comment

Azure Managed Identities (technical service accounts)

Explaination Azure Managed Identities = technical service accounts Password is automatically managed, as it was the case in managed service ...