Spring Cloud版本号由原来的Finchley.SR2替换为Greenwich.SR6
Finchley.SR2对应的spring boot版本为2.0.6.RELEASE,对应spirng版本为5.0.10.RELEASE
Greenwich.SR6对应spring boot版本为2.1.13.RELEASE,对应spirng版本为5.1.14.RELEASE
<spring-boot.version>2.1.13.RELEASE</spring-boot.version>
<org.springframework.cloud.version>Greenwich.SR6</org.springframework.cloud.version>
<!-- spring cloud -->
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>${org.springframework.cloud.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<!--spring boot-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>${spring-boot.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
该版本直接修复了如下漏洞
- FasterXML jackson-databind 2.x logback/JNDI 反序列化漏洞(CVE-2019-14439)
影响版本
jackson-databind < 2.9.9.2
jackson-databind < 2.7.9.6
jackson-databind < 2.8.11.4
jackson-databind < 2.6.7.3
安全版本
jackson-databind >= 2.9.9.2
jackson-databind >= 2.7.9.6
jackson-databind >= 2.8.11.4
jackson-databind >= 2.6.7.3
安全建议
针对使用到jackson-databind组件的web服务升级jackson相关组件至最新版本,下载链接参考:
https://repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-databind/
- Spring Cloud Config Server 目录遍历漏洞
Spring Cloud Config,2.1.2之前的2.1.x版本,2.0.4之前的版本2.0.x以及1.4.6之前的版本1.4.x以及较旧的不受支持的版本允许应用程序通过spring-cloud-config-server模块提供任意配置文件。恶意用户或攻击者可以使用特殊的URL发送请求,从而导致目录遍历攻击。
- Spring MVC 反射型文件下载漏洞
在Spring Framework中,5.2.3之前的版本5.2.x,5.1.13之前的版本5.1.x,5.0.16之前的版本5.0.x,当应用程序在响应中设置“Content-Disposition”头时,当文件名属性来自用户提供的输入时,它容易受到反射文件下载(RFD)攻击。
Spring Cloud中的Elasticsearch版本由原来的5.6.16升级到了6.4.3
- 修复代码中自定义结果映射类的异常
参照文档进行即可 https://blog.csdn.net/o_o814222198/article/details/119489628 - 更新docker中部署的elasticsearch
//停止并删除原来的容器
//先不挂载映射目录进行运行
docker run --name elasticsearch -p 9200:9200 -p 9300:9300 --restart=always --net esnet --ip 172.18.18.100 -e "discovery.type=single-node" -d elasticsearch:6.4.3
//然后拷贝容器内config,data,logs目录到本地
sudo docker cp elasticsearch:/usr/share/elasticsearch/config /mydata/services/elasticsearch/
sudo docker cp elasticsearch:/usr/share/elasticsearch/data /mydata/services/elasticsearch/
sudo docker cp elasticsearch:/usr/share/elasticsearch/logs /mydata/services/elasticsearch/
//给本地config,data,logs目录授予elasticsearch的权限
sudo chown 1000:1000 -R /mydata/services/elasticsearch/config
sudo chown 1000:1000 -R /mydata/services/elasticsearch/data
sudo chown 1000:1000 -R /mydata/services/elasticsearch/logs
//挂载映射目录运行
docker run --name elasticsearch -p 9200:9200 -p 9300:9300 -v /mydata/services/elasticsearch/config:/usr/share/elasticsearch/config -v /mydata/services/elasticsearch/data:/usr/share/elasticsearch/data -v /mydata/services/elasticsearch/logs:/usr/share/elasticsearch/logs --restart=always --net esnet --ip 172.18.18.100 -e "discovery.type=single-node" -d elasticsearch:6.4.3
然后需要对/mydata/services/elasticsearch/config/elasticsearch.yml文件进行配置
cluster.name: 与自己开发代码里的名称对应上
node.name: es-node1
node.master: true
node.data: true
network.host: 172.18.18.100
network.bind_host: 0.0.0.0
network.publish_host: 172.18.18.100
http.host: 0.0.0.0
http.port: 9200
transport.tcp.port: 9300
http.cors.enabled: true
http.cors.allow-origin: "*"
discovery.zen.ping.unicast.hosts: ["172.18.18.100:9300"]
discovery.zen.minimum_master_nodes: 1
启动服务报如下错误
Description:
The bean 'xxxxxx.FeignClientSpecification', defined in null, could not be registered. A bean with that name has already been defined in null and overriding is disabled.
Action:
Consider renaming one of the beans or enabling overriding by setting spring.main.allow-bean-definition-overriding=true
解决方案就是为每个Client手动指定不同的contextId
原因详细参照文档 http://www.imooc.com/article/details/id/299213
然后又遇到guava版本冲突的问题
***************************
APPLICATION FAILED TO START
***************************
Description:
An attempt was made to call a method that does not exist. The attempt was made from the following location:
springfox.documentation.spring.web.scanners.ApiListingScanner.scan(ApiListingScanner.java:117)
The following method did not exist:
com.google.common.collect.FluentIterable.append(Ljava/lang/Iterable;)Lcom/google/common/collect/FluentIterable;
The method's class, com.google.common.collect.FluentIterable, is available from the following locations:
jar:file:/D:/Repositorys/Maven/com/google/guava/guava/15.0/guava-15.0.jar!/com/google/common/collect/FluentIterable.class
It was loaded from the following location:
file:/D:/Repositorys/Maven/com/google/guava/guava/15.0/guava-15.0.jar
Action:
Correct the classpath of your application so that it contains a single, compatible version of com.google.common.collect.FluentIterable
原因如图,存在多个组件引用多个不同版本,实际使用的版本是15.0,导致其他地方使用不兼容
解决方案,手动配置guava的引入,统一版本
<!--指定guava的版本,解决各组件引用不同版本引发的冲突-->
<dependencyManagement>
<dependencies>
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>20.0</version>
<scope>compile</scope>
</dependency>
</dependencies>
</dependencyManagement>
修复poi相关漏洞
<poi.version>4.1.2</poi.version>
<!-- https://mvnrepository.com/artifact/org.apache.poi/poi -->
<dependency>
<groupId>org.apache.poi</groupId>
<artifactId>poi</artifactId>
<version>${poi.version}</version>
</dependency>
<dependency>
<groupId>org.apache.poi</groupId>
<artifactId>poi-ooxml</artifactId>
<version>${poi.version}</version>
</dependency>
<dependency>
<groupId>org.apache.poi</groupId>
<artifactId>poi-scratchpad</artifactId>
<version>${poi.version}</version>
</dependency>
升级版本后原来使用Cell.CELL_TYPE_NUMERIC等相关静态变量的地方需要调整为CellType.NUMERIC枚举的形式
修复log4j2相关漏洞
<log4j2.version>2.17.0</log4j2.version>
<!--升级log4j版本,修复其相关漏洞-->
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>${log4j2.version}</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-to-slf4j</artifactId>
<version>${log4j2.version}</version>
</dependency>
修复xstream相关漏洞
<xstream.version>1.4.19</xstream.version>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
<version>${xstream.version}</version>
</dependency>
修复zipkin中相关漏洞
将zipkin升级到最新版本2.23.16,
docker run --name zipkin -p 9411:9411 --restart=always -d openzipkin/zipkin:2.23.16
但该最新版中spring boot版本为2.4.13,spring版本为5.3.7,仍然有Spring Framework JDK >= 9 远程代码执行漏洞(CVE-2022-22965)漏洞
截止2022年3月31日,官方已发布安全版本5.3.18/5.2.20修复该漏洞。
(一) WAF 防护
在 WAF 等网络防护设备上,根据实际部署业务的流量情况,实现对"class.“,“Class.“,“.class.“,“.Class.*“等字符串的规则过滤,并在部署过滤规则后,对业务运行情况进行测试,避免产生额外影响。
(二) 临时修复措施(未验证,慎用)
可按照以下措施进行缓解,两步需同时进行,且使用时请根据自身业务情况进行调整:
1、在应用中全局搜索@InitBinder注解,看看方法体内是否调用dataBinder.setDisallowedFields方法,如果发现此代码片段的引入,则在原来的黑名单中,添加{“class.“,“Class. “,“. class.“, “.Class.“}。 (注:如果此代码片段使用较多,需要每个地方都追加)
2、在应用系统的项目包下新建以下全局类,并保证这个类被Spring 加载到(推荐在Controller 所在的包中添加).完成类添加后,需对项目进行重新编译打包和功能验证测试。并重新发布项目。
import org.springframework.core.annotation.Order;
import org.springframework.web.bind.WebDataBinder;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.InitBinder;
@ControllerAdvice
@Order(10000)
public class GlobalControllerAdvice{
@InitBinder
public void setAllowedFields(webdataBinder dataBinder){
String[]abd=new string[]{"class.*","Class.*","*.class.*","*.Class.*"};
dataBinder.setDisallowedFields(abd);
}
}
(三) 升级官方安全版本 >= 5.3.18/5.2.20
mybatis漏洞修复
<!-- mybatis -->
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>2.1.4</version>//对应的mybatis版本为3.5.6
</dependency>
druid升级
<druid.version>1.1.24</druid.version>
<!-- druid 升级mybatis到3.5.6,druid也要升级到1.1.24 -->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid-spring-boot-starter</artifactId>
<version>${druid.version}</version>
</dependency>
原因:由于Druid的1.1.17版本不支持JDBC 4.1及以上版本,所以LocalDate, LocalTime和数据库DATE之间转换会报SQLFeatureNotSupportedException异常。我升级到1.1.18还是没能解决,1.1.24可以。