前段时间将一个spring boot项目部署到了腾讯云服务区,跑一段时间后云镜检测到CVE-2020-5421漏洞,于是着手解决此问题。
漏洞综述
根据VMware Tanzu发布安全公告,公布了一个存在于Spring Framework中的反射型文件下载(Reflected File Download,RFD)漏洞CVE-2020-5421。CVE-2020-5421 可通过jsessionid路径参数,绕过防御RFD攻击的保护。先前针对RFD的防护是为应对 CVE-2015-5211 添加的。
攻击者通过向用户发送带有批处理脚本扩展名的URL,使用户下载并执行文件,从而危害用户系统。
官方已发布修复了漏洞的新版本。
Spring Framework是 Java 平台的一个开源全栈应用程序框架和控制反转容器实现,一般被直接称为 Spring。
影响范围
受影响的版本
- Spring Framework 5.2.0 – 5.2.8
- Spring Framework 5.1.0 – 5.1.17
- Spring Framework 5.0.0 – 5.0.18
- Spring Framework 4.3.0 – 4.3.28
- 以及其他已不受支持的版本
不受影响的版本
- Spring Framework 5.2.9
- Spring Framework 5.1.18
- Spring Framework 5.0.19
- Spring Framework 4.3.29
官方已发布修复了漏洞的新版本,建议相关用户尽快升级进行防护。
下载链接:
https://github.com/spring-projects/spring-framework/releases
Spring Boot 各版本的Java版本要求
Spring Boot 与 Java 对应版本,参考官网:https://spring.io/projects/spring-boot#learn
https://docs.spring.io/spring-boot/docs/{verion}/reference/htmlsingle/
| Sping Boot | Spring Framework | Java | Maven | Gradle |
| Spring Boot 2.1.x | ||||
| 2.1.0.RELEASE | Spring Framework 5.1.2.RELEASE | Java 8 or 9 | 3.3+ | 4.4+ |
| Spring Boot 2.0.x | ||||
| 2.0.6.RELEASE | Spring Framework 5.0.10.RELEASE | Java 8 or 9 | 3.2+ | 4.x |
| 2.0.5.RELEASE | Spring Framework 5.0.9.RELEASE | 4.x | ||
| 2.0.4.RELEASE | Spring Framework 5.0.8.RELEASE | 4 | ||
| 2.0.3.RELEASE | Spring Framework 5.0.7.RELEASE | 4 | ||
| 2.0.2.RELEASE | Spring Framework 5.0.6.RELEASE | 4 | ||
| 2.0.1.RELEASE | Spring Framework 5.0.5.RELEASE | 4 | ||
| 2.0.0.RELEASE | Spring Framework 5.0.4.RELEASE | 4 | ||
| Spring Boot 1.5.x | ||||
| 1.5.17.RELEASE | Spring Framework 4.3.20.RELEASE | Java 7 | 3.2+ | [2.9, 3.x] |
| 1.5.16.RELEASE | Spring Framework 4.3.19.RELEASE | |||
| 1.5.15.RELEASE | Spring Framework 4.3.18.RELEASE | |||
| 1.5.14.RELEASE | Spring Framework 4.3.18.RELEASE | |||
| 1.5.13.RELEASE | Spring Framework 4.3.17.RELEASE | |||
| 1.5.12.RELEASE | Spring Framework 4.3.16.RELEASE | |||
| 1.5.11.RELEASE | Spring Framework 4.3.15.RELEASE | |||
| 1.5.10.RELEASE | Spring Framework 4.3.14.RELEASE | |||
| 1.5.9.RELEASE | Spring Framework 4.3.13.RELEASE | |||
| 1.5.8.RELEASE | Spring Framework 4.3.12.RELEASE | |||
| 1.5.7.RELEASE | Spring Framework 4.3.11.RELEASE | |||
| 1.5.6.RELEASE | Spring Framework 4.3.10.RELEASE | |||
| 1.5.5.RELEASE | Spring Framework 4.3.10.RELEASE | |||
| 1.5.4.RELEASE | Spring Framework 4.3.9.RELEASE | |||
| 1.5.3.RELEASE | Spring Framework 4.3.8.RELEASE | |||
| 1.5.2.RELEASE | Spring Framework 4.3.7.RELEASE | |||
| 1.5.1.RELEASE | Spring Framework 4.3.6.RELEASE | |||
| 1.5.0.RELEASE | Spring Framework 4.3.6.RELEASE | |||
| Spring Boot 1.4.x | ||||
| 1.4.7.RELEASE | Spring Framework 4.3.9.RELEASE | Java 7 | 3.2+ |
[1.12, 2.x] |
| 1.4.6.RELEASE | Spring Framework 4.3.8.RELEASE | |||
| 1.4.5.RELEASE | Spring Framework 4.3.7.RELEASE | |||
| 1.4.4.RELEASE | Spring Framework 4.3.6.RELEASE | |||
| 1.4.3.RELEASE | Spring Framework 4.3.5.RELEASE | |||
| 1.4.2.RELEASE | Spring Framework 4.3.4.RELEASE | |||
| 1.4.1.RELEASE | Spring Framework 4.3.3.RELEASE | |||
| 1.4.0.RELEASE | Spring Framework 4.3.2.RELEASE | |||
| Spring Boot 1.3.x | ||||
| 1.3.8.RELEASE | Spring Framework 4.2.8.RELEASE |
Java 7 |
3.2+ |
[1.12, 2.x] |
| 1.3.7.RELEASE | Spring Framework 4.2.7.RELEASE | 1.12+ | ||
| 1.3.6.RELEASE | Spring Framework 4.2.7.RELEASE | |||
| 1.3.5.RELEASE | Spring Framework 4.2.6.RELEASE | |||
| 1.3.4.RELEASE | Spring Framework 4.2.6.RELEASE | |||
| 1.3.3.RELEASE | Spring Framework 4.1.5 or above | |||
| 1.3.2.RELEASE | ||||
| 1.3.1.RELEASE | ||||
| 1.3.0.RELEASE | ||||
| Spring Boot 1.2.x | ||||
| 1.2.8.RELEASE | Spring Framework 4.1.5 or above | Java 7 | 3.2+ | 1.12+ |
| 1.2.7.RELEASE | ||||
| 1.2.6.RELEASE | ||||
| 1.2.5.RELEASE | ||||
| 1.2.4.RELEASE | ||||
| 1.2.3.RELEASE | ||||
| 1.2.2.RELEASE | ||||
| 1.2.1.RELEASE | Spring Framework 4.1.3 or above | Java 6 | ||
| 1.2.0.RELEASE | ||||
注意:本文归作者所有,未经作者允许,不得转载
