Spring Cloud Finchley.SR2升级到Greenwich.SR6

Spring Cloud版本号由原来的Finchley.SR2替换为Greenwich.SR6
Finchley.SR2对应的spring boot版本为2.0.6.RELEASE,对应spirng版本为5.0.10.RELEASE
Greenwich.SR6对应spring boot版本为2.1.13.RELEASE,对应spirng版本为5.1.14.RELEASE

		<spring-boot.version>2.1.13.RELEASE</spring-boot.version>
		<org.springframework.cloud.version>Greenwich.SR6</org.springframework.cloud.version>

			<!-- spring cloud -->
			<dependency>
				<groupId>org.springframework.cloud</groupId>
				<artifactId>spring-cloud-dependencies</artifactId>
				<version>${org.springframework.cloud.version}</version>
				<type>pom</type>
				<scope>import</scope>
			</dependency>

			<!--spring boot-->
			<dependency>
				<groupId>org.springframework.boot</groupId>
				<artifactId>spring-boot-dependencies</artifactId>
				<version>${spring-boot.version}</version>
				<type>pom</type>
				<scope>import</scope>
			</dependency>

该版本直接修复了如下漏洞

  • FasterXML jackson-databind 2.x logback/JNDI 反序列化漏洞(CVE-2019-14439)
  影响版本

  jackson-databind < 2.9.9.2

  jackson-databind < 2.7.9.6

  jackson-databind < 2.8.11.4

  jackson-databind < 2.6.7.3

  安全版本

  jackson-databind >= 2.9.9.2

  jackson-databind >= 2.7.9.6

  jackson-databind >= 2.8.11.4

  jackson-databind >= 2.6.7.3

  安全建议

  针对使用到jackson-databind组件的web服务升级jackson相关组件至最新版本,下载链接参考:
  https://repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-databind/
  • Spring Cloud Config Server 目录遍历漏洞
  Spring Cloud Config,2.1.2之前的2.1.x版本,2.0.4之前的版本2.0.x以及1.4.6之前的版本1.4.x以及较旧的不受支持的版本允许应用程序通过spring-cloud-config-server模块提供任意配置文件。恶意用户或攻击者可以使用特殊的URL发送请求,从而导致目录遍历攻击。
  • Spring MVC 反射型文件下载漏洞
  在Spring Framework中,5.2.3之前的版本5.2.x,5.1.13之前的版本5.1.x,5.0.16之前的版本5.0.x,当应用程序在响应中设置“Content-Disposition”头时,当文件名属性来自用户提供的输入时,它容易受到反射文件下载(RFD)攻击。

Spring Cloud中的Elasticsearch版本由原来的5.6.16升级到了6.4.3

//停止并删除原来的容器

//先不挂载映射目录进行运行
docker run --name elasticsearch -p 9200:9200 -p 9300:9300  --restart=always --net esnet --ip 172.18.18.100 -e "discovery.type=single-node" -d elasticsearch:6.4.3

//然后拷贝容器内config,data,logs目录到本地
sudo docker cp elasticsearch:/usr/share/elasticsearch/config /mydata/services/elasticsearch/
sudo docker cp elasticsearch:/usr/share/elasticsearch/data /mydata/services/elasticsearch/
sudo docker cp elasticsearch:/usr/share/elasticsearch/logs /mydata/services/elasticsearch/

//给本地config,data,logs目录授予elasticsearch的权限
sudo chown 1000:1000 -R /mydata/services/elasticsearch/config
sudo chown 1000:1000 -R /mydata/services/elasticsearch/data
sudo chown 1000:1000 -R /mydata/services/elasticsearch/logs

//挂载映射目录运行
docker run --name elasticsearch -p 9200:9200 -p 9300:9300 -v /mydata/services/elasticsearch/config:/usr/share/elasticsearch/config -v /mydata/services/elasticsearch/data:/usr/share/elasticsearch/data -v /mydata/services/elasticsearch/logs:/usr/share/elasticsearch/logs --restart=always --net esnet --ip 172.18.18.100 -e "discovery.type=single-node" -d elasticsearch:6.4.3

然后需要对/mydata/services/elasticsearch/config/elasticsearch.yml文件进行配置

cluster.name: 与自己开发代码里的名称对应上
node.name: es-node1
node.master: true
node.data: true
network.host: 172.18.18.100
network.bind_host: 0.0.0.0
network.publish_host: 172.18.18.100
http.host: 0.0.0.0
http.port: 9200
transport.tcp.port: 9300
http.cors.enabled: true
http.cors.allow-origin: "*"
discovery.zen.ping.unicast.hosts: ["172.18.18.100:9300"]
discovery.zen.minimum_master_nodes: 1

启动服务报如下错误

Description:
The bean 'xxxxxx.FeignClientSpecification', defined in null, could not be registered. A bean with that name has already been defined in null and overriding is disabled.
Action:
Consider renaming one of the beans or enabling overriding by setting spring.main.allow-bean-definition-overriding=true

解决方案就是为每个Client手动指定不同的contextId
原因详细参照文档 http://www.imooc.com/article/details/id/299213


然后又遇到guava版本冲突的问题

***************************
APPLICATION FAILED TO START
***************************

Description:

An attempt was made to call a method that does not exist. The attempt was made from the following location:

    springfox.documentation.spring.web.scanners.ApiListingScanner.scan(ApiListingScanner.java:117)

The following method did not exist:

    com.google.common.collect.FluentIterable.append(Ljava/lang/Iterable;)Lcom/google/common/collect/FluentIterable;

The method's class, com.google.common.collect.FluentIterable, is available from the following locations:

    jar:file:/D:/Repositorys/Maven/com/google/guava/guava/15.0/guava-15.0.jar!/com/google/common/collect/FluentIterable.class

It was loaded from the following location:

    file:/D:/Repositorys/Maven/com/google/guava/guava/15.0/guava-15.0.jar


Action:

Correct the classpath of your application so that it contains a single, compatible version of com.google.common.collect.FluentIterable

原因如图,存在多个组件引用多个不同版本,实际使用的版本是15.0,导致其他地方使用不兼容

解决方案,手动配置guava的引入,统一版本

        <!--指定guava的版本,解决各组件引用不同版本引发的冲突-->
	<dependencyManagement>
		<dependencies>
			<dependency>
				<groupId>com.google.guava</groupId>
				<artifactId>guava</artifactId>
				<version>20.0</version>
				<scope>compile</scope>
			</dependency>
		</dependencies>
	</dependencyManagement>

修复poi相关漏洞

<poi.version>4.1.2</poi.version>

<!-- https://mvnrepository.com/artifact/org.apache.poi/poi -->
			<dependency>
				<groupId>org.apache.poi</groupId>
				<artifactId>poi</artifactId>
				<version>${poi.version}</version>
			</dependency>
			<dependency>
				<groupId>org.apache.poi</groupId>
				<artifactId>poi-ooxml</artifactId>
				<version>${poi.version}</version>
			</dependency>
			<dependency>
				<groupId>org.apache.poi</groupId>
				<artifactId>poi-scratchpad</artifactId>
				<version>${poi.version}</version>
			</dependency>

升级版本后原来使用Cell.CELL_TYPE_NUMERIC等相关静态变量的地方需要调整为CellType.NUMERIC枚举的形式


修复log4j2相关漏洞

                        <log4j2.version>2.17.0</log4j2.version>

			<!--升级log4j版本,修复其相关漏洞-->
			<dependency>
				<groupId>org.apache.logging.log4j</groupId>
				<artifactId>log4j-api</artifactId>
				<version>${log4j2.version}</version>
			</dependency>

			<dependency>
				<groupId>org.apache.logging.log4j</groupId>
				<artifactId>log4j-to-slf4j</artifactId>
				<version>${log4j2.version}</version>
			</dependency>

修复xstream相关漏洞

		<xstream.version>1.4.19</xstream.version>

		<dependency>
			<groupId>com.thoughtworks.xstream</groupId>
			<artifactId>xstream</artifactId>
			<version>${xstream.version}</version>
		</dependency>

修复zipkin中相关漏洞
将zipkin升级到最新版本2.23.16,
docker run --name zipkin -p 9411:9411 --restart=always -d openzipkin/zipkin:2.23.16
但该最新版中spring boot版本为2.4.13,spring版本为5.3.7,仍然有Spring Framework JDK >= 9 远程代码执行漏洞(CVE-2022-22965)漏洞

截止2022年3月31日,官方已发布安全版本5.3.18/5.2.20修复该漏洞。

(一) WAF 防护
在 WAF 等网络防护设备上,根据实际部署业务的流量情况,实现对"class.“,“Class.“,“.class.“,“.Class.*“等字符串的规则过滤,并在部署过滤规则后,对业务运行情况进行测试,避免产生额外影响。

(二) 临时修复措施(未验证,慎用)

可按照以下措施进行缓解,两步需同时进行,且使用时请根据自身业务情况进行调整:

1、在应用中全局搜索@InitBinder注解,看看方法体内是否调用dataBinder.setDisallowedFields方法,如果发现此代码片段的引入,则在原来的黑名单中,添加{“class.“,“Class. “,“. class.“, “.Class.“}。 (注:如果此代码片段使用较多,需要每个地方都追加)

2、在应用系统的项目包下新建以下全局类,并保证这个类被Spring 加载到(推荐在Controller 所在的包中添加).完成类添加后,需对项目进行重新编译打包和功能验证测试。并重新发布项目。

    import org.springframework.core.annotation.Order;
    import org.springframework.web.bind.WebDataBinder;
    import org.springframework.web.bind.annotation.ControllerAdvice;
    import org.springframework.web.bind.annotation.InitBinder;
    @ControllerAdvice
    @Order(10000)
    public class GlobalControllerAdvice{ 
         @InitBinder
         public void setAllowedFields(webdataBinder dataBinder){
         String[]abd=new string[]{"class.*","Class.*","*.class.*","*.Class.*"};
         dataBinder.setDisallowedFields(abd);
         }
    }
(三) 升级官方安全版本 >= 5.3.18/5.2.20

mybatis漏洞修复

			<!-- mybatis  -->
			<dependency>
				<groupId>org.mybatis.spring.boot</groupId>
				<artifactId>mybatis-spring-boot-starter</artifactId>
				<version>2.1.4</version>//对应的mybatis版本为3.5.6
			</dependency>

druid升级

                        <druid.version>1.1.24</druid.version>

                        <!-- druid 升级mybatis到3.5.6,druid也要升级到1.1.24 -->
			<dependency>
				<groupId>com.alibaba</groupId>
				<artifactId>druid-spring-boot-starter</artifactId>
				<version>${druid.version}</version>
			</dependency>

原因:由于Druid的1.1.17版本不支持JDBC 4.1及以上版本,所以LocalDate, LocalTime和数据库DATE之间转换会报SQLFeatureNotSupportedException异常。我升级到1.1.18还是没能解决,1.1.24可以。

posted @ 2022-05-11 20:38  fortuneju  阅读(422)  评论(0编辑  收藏  举报