Yesterday, after the release of "Spring Officially Announces Admitting Big Vulnerabilities in Internet Transmission and Provides Solutions" . Several small partners in the group asked such questions: Our Spring version is relatively old, what should we do? This is a good question, so DD took it out on its own today.
After the announcement of the RCE vulnerability this time, the main official solution is to upgrade the version, but only Spring 5.2, 5.3 and Spring Boot 2.5, 2.6 provide the corresponding upgrade version.
So what about some users who are still using Spring 5.0, 5.1 or even Spring 4.x, or Spring Boot 1.x and Spring 2.4 and below?
the first method
The official has given a method to achieve by extension RequestMappingHandlerAdapter . At the same time, an implementation scheme of using Spring MVC under Spring Boot is also given. If it is WebFlux, it can be slightly modified. But if it is not Spring Boot, the initialization method of the bean has to be changed again.
@SpringBootApplication
public class MyApp {
public static void main(String[] args) {
SpringApplication.run(CarApp.class, args);
}
@Bean
public WebMvcRegistrations mvcRegistrations() {
return new WebMvcRegistrations() {
@Override
public RequestMappingHandlerAdapter getRequestMappingHandlerAdapter() {
return new ExtendedRequestMappingHandlerAdapter();
}
};
}
private static class ExtendedRequestMappingHandlerAdapter extends RequestMappingHandlerAdapter {
@Override
protected InitBinderDataBinderFactory createDataBinderFactory(List<InvocableHandlerMethod> methods) {
return new ServletRequestDataBinderFactory(methods, getWebBindingInitializer()) {
@Override
protected ServletRequestDataBinder createBinderInstance(
Object target, String name, NativeWebRequest request) throws Exception {
ServletRequestDataBinder binder = super.createBinderInstance(target, name, request);
String[] fields = binder.getDisallowedFields();
List<String> fieldList = new ArrayList<>(fields != null ? Arrays.asList(fields) : Collections.emptyList());
fieldList.addAll(Arrays.asList("class.*", "Class.*", "*.class.*", "*.Class.*"));
binder.setDisallowedFields(fieldList.toArray(new String[] {}));
return binder;
}
};
}
}
}This requires us to modify the code, in fact, I think it is still a bit troublesome. If you are not familiar with the Spring mechanism, you may encounter a lot of trouble. Let’s talk about another convenient method, which is also the method I recommend for old projects.
The second method
The following methods are mainly to avoid ideas. What is circumvention? It is to make some adjustments according to the exploit conditions of this vulnerability.
For example, the conditions for this vulnerability are:
- JDK 9+
- Deploy with Apache Tomcat
- Packaged in WAR
- Depends on spring-webmvc or spring-webflux
Then I can choose to avoid one of the conditions to prevent the exploitation of the vulnerability, such as:
- Downgrade to JDK 8
- Use Undertow to deploy
- If it is an early item of Spring Boot, you can also adjust the packaging method and use the JAR method to package and run to avoid it.
In addition, DD has noticed that the version of Tomcat has also been updated after this vulnerability, so when you deploy with WAR, it is also a good choice to download the latest Tomcat version directly to avoid it.
Well, today's sharing is here. Solving the questions of group friends ( click to add a group ) is on the one hand, and on the other hand, it is also a way of thinking when solving problems. Sometimes when we encounter hard stubble, we don't have to be hard, and it may be more cost-effective to solve it in a different direction. If you think today's sharing is not bad, please like it, watch it, and forward it to the circle of friends.
Welcome to my public account: Programmer DD. Learn about cutting-edge industry news for the first time, share in-depth technical dry goods, and obtain high-quality learning resources
java
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。