JeecgBoot升級Nacos至 2.2.3 版本解決raft漏洞問題

2023-07-17 12:06 作者:jeecg 0人讀過 | 我要投稿

問題描述

Nacos 老版本發(fā)現(xiàn)有 raft 漏洞，直接升級最新版 2.2.3 解決問題。

升級步驟

一、修改pom

路徑：jeecg-server-cloud/jeecg-cloud-nacos/pom.xml
目前新依賴還未上傳到maven官倉，請配置?jeecg私服

<?xml?version="1.0"?encoding="UTF-8"?> <project?xmlns="http://maven.apache.org/POM/4.0.0"?xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ?????????xsi:schemaLocation="http://maven.apache.org/POM/4.0.0?https://maven.apache.org/xsd/maven-4.0.0.xsd"> ????<modelVersion>4.0.0</modelVersion> ????<artifactId>jeecg-cloud-nacos</artifactId> ????<name>jeecg-cloud-nacos</name> ????<description>nacos啟動模塊</description> ????<version>3.5.2</version> ????<parent> ????????<groupId>org.springframework.boot</groupId> ????????<artifactId>spring-boot-starter-parent</artifactId> ????????<version>2.6.14</version> ????????<relativePath/> ????</parent> ????<repositories> ????????<repository> ????????????<id>aliyun</id> ????????????<name>aliyun?Repository</name> ????????????<url>https://maven.aliyun.com/repository/public</url> ????????????<snapshots> ????????????????<enabled>false</enabled> ????????????</snapshots> ????????</repository> ????????<repository> ????????????<id>jeecg</id> ????????????<name>jeecg?Repository</name> ????????????<url>https://maven.jeecg.org/nexus/content/repositories/jeecg</url> ????????????<snapshots> ????????????????<enabled>false</enabled> ????????????</snapshots> ????????</repository> ????</repositories> ????<properties> ????????<log4j2.version>2.17.0</log4j2.version> ????</properties> ???? ????<dependencies> ????????<dependency> ????????????<groupId>org.apache.tomcat.embed</groupId> ????????????<artifactId>tomcat-embed-jasper</artifactId> ????????</dependency> ????????<dependency> ????????????<groupId>org.springframework.boot</groupId> ????????????<artifactId>spring-boot-starter-security</artifactId> ????????</dependency> ????????<dependency> ????????????<groupId>org.jeecgframework.nacos</groupId> ????????????<artifactId>nacos-naming</artifactId> ????????????<version>2.2.3</version> ????????</dependency> ????????<dependency> ????????????<groupId>org.jeecgframework.nacos</groupId> ????????????<artifactId>nacos-istio</artifactId> ????????????<version>2.2.3</version> ????????</dependency> ????????<dependency> ????????????<groupId>org.jeecgframework.nacos</groupId> ????????????<artifactId>nacos-config</artifactId> ????????????<version>2.2.3</version> ????????</dependency> ????????<dependency> ????????????<groupId>org.jeecgframework.nacos</groupId> ????????????<artifactId>nacos-console</artifactId> ????????????<version>2.2.3</version> ????????</dependency> ????</dependencies> ????<build> ????????<plugins> ????????????<plugin> ????????????????<groupId>org.springframework.boot</groupId> ????????????????<artifactId>spring-boot-maven-plugin</artifactId> ????????????</plugin> ????????</plugins> ????</build> </project>

二、升級Nacos數(shù)據(jù)庫，執(zhí)行升級腳本

ALTER?TABLE?config_info?ADD?encrypted_data_key?varchar(255)?DEFAULT?NULL?COMMENT?'加密key'; ALTER?TABLE?his_config_info?ADD?encrypted_data_key?varchar(255)?DEFAULT?NULL?COMMENT?'加密key'; ALTER?TABLE?config_info_beta?ADD?encrypted_data_key?varchar(255)?DEFAULT?NULL?COMMENT?'加密key'; ALTER?TABLE?config_info_tag?ADD?encrypted_data_key?varchar(255)?DEFAULT?NULL?COMMENT?'加密key';

三、啟動Nacos項目完成升級

升級完成，就這么簡單。

四、漏洞說明

一、具體說明

Nacos是一個易于使用的動態(tài)服務(wù)發(fā)現(xiàn)、配置和服務(wù)管理平臺，用于構(gòu)建云原生應(yīng)用程序。

近日Nacos發(fā)布更新版本，修復(fù)了一個反序列化漏洞。由于Nacos集群處理部分Jraft請求時，未限制使用hessian進(jìn)行反序列化，可能導(dǎo)致遠(yuǎn)程代碼執(zhí)行。但該漏洞僅影響7848端口（默認(rèn)設(shè)置下），一般使用時該端口為Nacos集群間Raft協(xié)議的通信端口，不承載客戶端請求，因此可以通過禁止該端口來自Nacos集群外部的請求來進(jìn)行緩解。

目前該漏洞已經(jīng)修復(fù)，受影響用戶可更新到Nacos 版本1.4.6或2.2.3。

二、影響范圍

1.4.0<=Nacos版本<1.4.6

2.0.0<=Nacos版本<2.2.3

三、參考博客

http://net.jstu.edu.cn/2023/0612/c2331a165901/page.htm
http://www.hackdig.com/06/hack-1004954.htm
https://blog.csdn.net/qq12547345/article/details/131183159
https://blog.csdn.net/weiyangdong/article/details/131440830

標(biāo)簽：