Struts升级到2.3.15.1抵抗漏洞

后知后觉，今天才开始修复Struts2的漏洞

详细情形可以参考：

http://struts.apache.org/release/2.3.x/docs/security-bulletins.html

 

 

本次的升级是把struts2.3.1.2升级到2.3.15.1

全部更新：

​

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40

两个版本相同的： aopalliance-1.0.jar asm-commons-3.3.jar asm-tree-3.3.jar commons-logging-api-1.1.jar ezmorph-1.0.6.jar guava-r09.jar stax2-api-3.1.1.jar xml-resolver-1.2.jar    替换(**为补丁需要替换的)： asm-3.3.jar -> asm-3.2.jar ** commons-fileupload-1.3.jar -> commons-fileupload-1.2.2.jar commons-io-2.0.1.jar -> commons-io-1.4.jar ** add  commons-lang3-3.1.jar   commons-logging-1.1.3.jar -> commons-logging-1.1.1.jar cxf-api-2.7.4.jar -> cxf-api-2.5.0.jar cxf-rt-bindings-soap-2.7.4.jar -> cxf-rt-bindings-soap-2.5.0.jar cxf-rt-bindings-xml-2.7.4.jar -> cxf-rt-bindings-xml-2.5.0.jar cxf-rt-core-2.7.4.jar -> cxf-rt-core-2.5.0.jar cxf-rt-databinding-jaxb-2.7.4.jar -> cxf-rt-databinding-jaxb-2.5.0.jar cxf-rt-frontend-jaxws-2.7.4.jar -> cxf-rt-frontend-jaxws-2.5.0.jar cxf-rt-frontend-simple-2.7.4.jar -> cxf-rt-frontend-simple-2.5.0.jar cxf-rt-transports-http-2.7.4.jar -> cxf-rt-transports-http-2.5.0.jar cxf-rt-ws-addr-2.7.4.jar -> cxf-rt-ws-addr-2.5.0.jar freemarker-2.3.19.jar -> freemarker-2.3.16.jar jackson-core-asl-1.9.2.jar -> jackson-core-asl-1.6.0.jar jackson-mapper-asl-1.9.2.jar -> jackson-mapper-asl-1.6.0.jar    neethi-3.0.2.jar -> neethi-3.0.1.jar ** ognl-3.0.6.jar -> ognl-3.0.4.jar ** struts2-convention-plugin-2.3.15.1.jar -> struts2-convention-plugin-2.3.1.2.jar ** struts2-core-2.3.15.1.jar -> struts2-core-2.3.1.2.jar    ** struts2-jfreechart-plugin-2.3.1.2.jar -> struts2-jfreechart-plugin-2.3.15.1.jar ** struts2-spring-plugin-2.3.1.2.jar -> struts2-spring-plugin-2.3.15.1.jar woodstox-core-asl-4.2.0.jar -> woodstox-core-asl-4.1.1.jar wsdl4j-1.6.3.jar -> wsdl4j-1.6.2.jar xmlschema-core-2.0.3.jar -> xmlschema-core-2.0.1.jar ** xwork-core-2.3.15.1.jar -> xwork-core-2.3.1.2.jar

 

如果只针对修复漏洞，只需要更新

1 2 3 4 5 6 7 8 9 10

替换 ** commons-fileupload-1.3.jar -> commons-fileupload-1.2.2.jar ** ognl-3.0.6.jar -> ognl-3.0.4.jar ** struts2-convention-plugin-2.3.15.1.jar -> struts2-convention-plugin-2.3.1.2.jar ** struts2-core-2.3.15.1.jar -> struts2-core-2.3.1.2.jar ** struts2-jfreechart-plugin-2.3.1.2.jar -> struts2-jfreechart-plugin-2.3.15.1.jar ** struts2-spring-plugin-2.3.1.2.jar -> struts2-spring-plugin-2.3.15.1.jar ** xwork-core-2.3.15.1.jar -> xwork-core-2.3.1.2.jar 增加 ** add  commons-lang3-3.1.jar

如果web.xml引用到

 ActionContextCleanUp，还会恶心的报这个Warning!!!!!!!

1 2 3 4 5 6 7 8 9 10 11

*************************************************************************** *                                 WARNING!!!                              * *                                                                         * * >>> ActionContextCleanUp <<< is deprecated! Please use the new filters! * *                                                                         * *             This can be a source of unpredictable problems!             * *                                                                         * *                Please refer to the docs for more details!               * *              http://struts.apache.org/2.x/docs/webxml.html              * *                                                                         * ***************************************************************************

为了清净我们的耳目，只能把ActionContextCleanUp的配置清除掉

 

1 2 3 4

<filter>  <filter-name>struts2CleanupFilter</filter-name>   <filter-class>org.apache.struts2.dispatcher.ActionContextCleanUp</filter-class> </filter>

可以替换成另外的实现

1 2 3 4

<filter>    <filter-name>StrutsPrepareFilter</filter-name>    <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFilter</filter-class> </filter>

 

 DONE！

来自为知笔记(Wiz)