更新
现在,将此问题 分配给 cve-2022-22965 。除了以下不错的答案外,请检查因为它是此问题最可靠,最新的网站。
根据不同的来源,在使用Spring Core库时,我们似乎遇到了严重的安全问题。
be ,我们处于风险
- 链接,如果:您使用春季应用程序(最多和包括版本5.3.17)
您的应用程序在Java 9+上运行
- 您使用name = value对的表单绑定 - 不使用Spring更受欢迎的消息转换JSON/XML,
- 您不使用允许列表 - 或 - 您没有拒绝诸如“类”,“模块”,“ classloader”
链接建议到某些解决方案,但似乎并不容易实现/可靠。
我们该怎么办来解决此问题,最简单,最可靠的方式?
Update
this issue is now assigned to CVE-2022-22965. Other than below nice answers, please do check Spring Framework RCE: Early Announcement as it is the most reliable and up-to-date site for this issue.
According to different source, seems we got a serious security issue when using Spring Core library.
Quoting from above link, we are in risk if:
- You use a Spring app (up to and including version 5.3.17)
Your app runs on Java 9+
- You use form binding with name=value pairs – not using Spring’s more popular message conversion of JSON/XML
- You don’t use an allowlist –OR– you don’t have a denylist that blocks fields like “class”, “module”, “classLoader”
The link suggested to some solution but doesn't seems easy to implement/reliable.
What should we do to fix this issue, in easiest and most reliable way?
发布评论
评论(2)
根据,升级到弹簧框架5.3.18或5.2.20将修复RCE。
如果使用Spring Boot,则“ nofollow noreferrer”> spring boot 2.5.12 和 Spring Boot 2.6.6 修复了漏洞。
如果您无法更新:
可以选择仅升级tomcat。 。
如果您不能执行上述任何操作 on
webdatabinder@controllerRaldVice >rce公告博客帖子建议解决方法:set
discomefields控制器集condodyfields通过其自己的@initbinder方法在本地覆盖全局设置。而且,更一般而言,如果您使用诸如球衣之类的替代休息框架(但是,尚未证明对这种配置受到影响),解决方法将不会产生效果。According to the Spring Framework RCE: Early Announcement, upgrading to Spring Framework 5.3.18 or 5.2.20 will fix the RCE.
If you use Spring Boot, Spring Boot 2.5.12 and Spring Boot 2.6.6 fixes the vulnerability.
If you're unable to update:
You can choose to only upgrade Tomcat. The Apache Tomcat team has released versions 10.0.20, 9.0.62, and 8.5.78 all of which close the attack vector on Tomcat’s side.
If you can't do any of the above, the RCE announcement blog post suggests a workaround: Set
disallowedFieldsonWebDataBinderthrough an@ControllerAdvice:This quick fix will not work if a controller sets
disallowedFieldslocally through its own@InitBindermethod, which overrides the global setting. Also, more generally, the workaround will not have an effect if you use alternate REST frameworks such as Jersey (however, it has not yet been demonstrated that such configurations are impacted).注意:以后需要弹簧升级,因为漏洞不在tomcat临时变速器中,升级为10.0.20、9.0.62和8.5.78
春季参考
Note: Spring upgrade is needed later on as vulnerability is not in TomcatTemporary Workaround is Upgrade tomcat to 10.0.20, 9.0.62, and 8.5.78
Spring Reference