脆弱性:Vulnerability
1. 调查方法
1.1. 定位到工程文件夹
把依赖jar包统一输出到jarlist.txt中
# cd prj-a
prj-a# mvn dependency:tree -DoutputFile=jarlist.txt
1.2. 依次使用+-[空格],-[空格],|[空格],[空格],[:]->[,] 替换掉后,把文件转换成csv文件
2. 根据csv文件中的jar包,到以下网址查询已有脆弱性报告
3. 安全性风险
3.1 spring-security-core
pom.xml
...
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.5.RELEASE</version>
<relativePath/>
</parent>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
</dependencies>
...
保存下载所有依赖包,逐一调查脆弱性
发现:spring-security-core-5.3.5.RELEASE.jar 存在安全漏洞
https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-1078232
原文
org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.
Affected versions of this package are vulnerable to Privilege Escalation. It fail to save the > SecurityContext if it is changed more than once in a single request. The SecurityContext can > fail to save to the HttpSession if a developer changes the SecurityContext twice in a single > request when both of the following conditions are met: First the developer must change the SecurityContext before the HttpResponse is committed and then the HttpResponse must be committed before the SecurityContextPersistenceFilter completes. Then the developer must attempt to change the SecurityContext again before the SecurityContextPersistenceFilter completes. A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
Remediation
Upgrade org.springframework.security:spring-security-core to version 5.4.4, 5.3.8.RELEASE, 5.2.9.RELEASE or higher.
译文
org.springframework.security:spring-security-core是一个为Spring IO Platform提供安全服务的软件包。
此软件包的受影响版本容易受到特权升级的影响。如果在单个请求中多次更改了SecurityContext,它将无法保存。如果同时满足以下两个条件,如果开发人员在单个请求中两次更改SecurityContext,则SecurityContext可能无法保存到HttpSession中:首先,开发人员必须在提交HttpResponse之前更改SecurityContext,然后必须在提交HttpResponse之前更改HttpResponse。 SecurityContextPersistenceFilter完成。然后,开发人员必须在SecurityContextPersistenceFilter完成之前再次尝试更改SecurityContext。恶意用户无法导致该错误的发生(必须对其进行编程)。但是,如果应用程序的目的仅是允许用户在应用程序的一小部分中以提升的特权运行,则可以利用该错误将这些特权扩展到应用程序的其余部分。
整治
将org.springframework.security:spring-security-core升级到5.4.4、5.3.8.RELEASE,5.2.9.RELEASE或更高版本。
3.2 mybatis
pom.xml
...
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>2.1.3</version>
</dependency>
...
保存下载所有依赖包,逐一调查脆弱性
发现:mybatis-3.5.5.jar 存在安全漏洞
https://snyk.io./vuln/SNYK-JAVA-ORGMYBATIS-1017032
原文
org.mybatis:mybatis is a SQL mapper framework
Affected versions of this package are vulnerable to Remote Code Execution (RCE). It mishandles deserialization of object streams. All of the following conditions needs to be met in order to trigger RCE.
- the user enabled the built-in 2nd level cache [1]
- the user did not setup JEP-290 filter
- the attacker found a way to modify entries of the private Map field i.e. org.apache.ibatis.cache.impl.PerpetualCache.cache and a valid cache key
Remediation
Remediation
Upgrade org.mybatis:mybatis to version 3.5.6 or higher.
译文
org.mybatis:mybatis是一个SQL映射器框架
此程序包的受影响版本容易受到远程代码执行(RCE)的影响。它对对象流的反序列化处理不当。为了触发RCE,需要满足以下所有条件。
用户启用了内置的二级缓存[1]
用户未设置JEP-290过滤器
攻击者找到了一种方法来修改私有Map字段的条目,即org.apache.ibatis.cache.impl.PerpetualCache.cache和有效的缓存键
整治
升级org.mybatis:mybatis到3.5.6或更高版本。
4. 解决办法
考虑小版本升级影响范围小
4.1 spring-security-core
pom.xml
...
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.9.RELEASE</version>
<relativePath/>
</parent>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
</dependencies>
...
4.2 mybatis
pom.xml
...
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>2.1.4</version>
</dependency>
...
5. 总结
架构师使用中间件搭建原型系统后,最好调查一下是否存在已知的脆弱性报告。
原则:
- 如果项目刚刚启动,最好无脆弱jar包
- 如果有脆弱jar包存在,尽量升级小版本,以免影响范围过大。
