Tomcat爆出安全漏洞!SpDDoS高防ring Cloud/Boot框架多个版本受阻碍-墨者安全-墨者盾
DDOS防御_CC防护_高防CDN服务器_【墨者安全】—墨者盾墨者盾—你的网站贴身保镖!
QQ:800185041
高防免费接入:400-0797-119

渠道合作:156 2527 6999

主页 > CC防护 > Tomcat爆出安全漏洞!SpDDoS高防ring Cloud/Boot框架多个版本受阻碍

Tomcat爆出安全漏洞!SpDDoS高防ring Cloud/Boot框架多个版本受阻碍

小墨安全管家 2020-07-09 16:47 CC防护 89 ℃
DDoS防御

            <groupId>org.apache.tomcat.embed</groupId> 

升级Spring Boot 2.3.x

1. 升级Spring Boot

            <artifactId>tomcat-embed-websocket</artifactId> 

            <version>${tomcat-embed.version}</version> 

假如条件允许,能够经过升级到Tomcat新版本来解决漏洞。下面为受阻碍版本对应的安全版本:

        <dependency> 

            <artifactId>tomcat-embed-core</artifactId> 

    </dependencies> 

    <artifactId>spring-boot-starter-parent</artifactId> 

<parent> 

<properties> 

    <tomcat-embed.version>9.0.36</tomcat-embed.version> 

        </dependency> 

            <version>${tomcat-embed.version}</version> 

        <dependency> 

        </dependency> 

02 Spring Cloud / Boot 框架阻碍

Apache Tomcat HTTP/2 拒绝服务漏洞也给Spring Cloud / Boot 框架带来了一定的阻碍。下面是所有受阻碍的版本列表,大伙儿能够查看并对比下自个儿的代码,看看是否受到阻碍。

<properties> 

    </dependencies> 

<properties> 

            <groupId>org.apache.tomcat.embed</groupId> 

Spring Cloud Hoxton / Spring Boot 2.2.x

2. 升级Tomcat

</dependencyManagement> 

<parent> 

</properties> 

            <artifactId>tomcat-embed-websocket</artifactId> 

        <dependency> 

Spring Boot [2.2.8.RELEASE] 版本已修复。

            <groupId>org.apache.tomcat.embed</groupId> 

2. 升级Tomcat

        <dependency> 

            <version>${tomcat-embed.version}</version> 

            <artifactId>tomcat-embed-el</artifactId> 

        <dependency> 

Spring Boot [2.2.0.RELEASE - 2.2.7.RELEASE] 版本受到阻碍。

            <artifactId>tomcat-embed-el</artifactId> 

<dependencyManagement> 

</properties> 

            <groupId>org.apache.tomcat.embed</groupId> 

Spring Boot 2.3.x

翻译

            <artifactId>tomcat-embed-websocket</artifactId> 

Spring Boot [1.5.0.RELEASE - 1.5.22.RELEASE] 版本受到阻碍。

</parent> 

Spring Boot [2.3.1.RELEASE] 版本已修复。

            <version>${tomcat-embed.version}</version> 

 

升级Spring Cloud Finchley / Spring Boot 2.0.x

Finchley无法经过升级Spring Boot版本解决咨询题。

            <artifactId>tomcat-embed-el</artifactId> 

<parent> 

 

Spring Boot [2.1.15.RELEASE] 版本已修复。

Apache Tomcat 9.0.0.M1 ~ 9.0.35

Tomcat爆出安全漏洞!Spring Cloud/Boot框架多个版本受阻碍

        </dependency> 

<properties> 

    <version>2.2.8.RELEASE</version> 

        <dependency> 

<dependencyManagement> 

            <version>${tomcat-embed.version}</version> 

软件提供商: Apache 软件基金会

            <groupId>org.apache.tomcat.embed</groupId> 

Apache Tomcat 9.0.36+

<dependencyManagement> 

            <groupId>org.apache.tomcat.embed</groupId> 

        </dependency>    </dependencies></dependencyManagement> 

直截了当升级Spring Boot版本。

            <groupId>org.apache.tomcat</groupId> 

Spring Boot [2.3.0.RELEASE] 版本受到阻碍。

升级 Spring Cloud Edgware / Spring Boot 1.5.x

Edgware无法经过升级Spring Boot版本解决咨询题。=

Spring Cloud [Finchley.RELEASE - Finchley.SR4] 版本受到阻碍。

漏洞描述:一具非常制作的 HTTP/2 请求序列,在短短数秒内能导致 CPU 满负载率,假如有脚够数量多的此类请求连接(HTTP/2)并发放在服务器上,服务器大概会失去响应。

 

            <groupId>org.apache.tomcat.embed</groupId> 

        </dependency> 

            <version>${tomcat-embed.version}</version> 

Apache Tomcat 10.0.0-M1 ~ 10.0.0-M5

    </dependencies> 

    <dependencies> 

        </dependency> 

</properties> 

Spring Cloud [Edgware.RELEASE - Edgware.SR6] 版本受到阻碍。

            <artifactId>tomcat-embed-core</artifactId> 

            <groupId>org.apache.tomcat.embed</groupId> 

            <artifactId>tomcat-annotations-api</artifactId> 

</dependencyManagement> 

        </dependency> 

    <version>2.1.15.RELEASE</version> 

Apache Tomcat 8.5.0 ~ 8.5.55

手动升级Tomcat版本。

        <dependency> 

漏洞名称:Apache Tomcat HTTP/2 拒绝服务漏洞

    <artifactId>spring-boot-starter-parent</artifactId> 

升级Spring Cloud Greenwich / Spring Boot 2.1.x

1. 升级Spring Boot

        </dependency> 

        <dependency> 

            <artifactId>tomcat-embed-core</artifactId> 

        </dependency> 

<dependencyManagement> 

</properties> 

            <version>${tomcat-embed.version}</version> 

Spring Cloud Edgware / Spring Boot 1.5.x

            <version>${tomcat-embed.version}</version> 

            <groupId>org.apache.tomcat.embed</groupId> 

    <dependencies> 

            <version>${tomcat-embed.version}</version> 

Spring Cloud [Greenwich.RELEASE - Greenwich.SR6] 版本受到阻碍。

            <artifactId>tomcat-embed-core</artifactId> 

Apache Tomcat 8.5.56+

    <groupId>org.springframework.boot</groupId> 

<dependencyManagement> 

    <dependencies> 

</dependencyManagement> 

    <tomcat-embed.version>8.5.56</tomcat-embed.version> 

        <dependency> 

Spring Cloud Greenwich / Spring Boot 2.1.x

    <artifactId>spring-boot-starter-parent</artifactId> 

            <groupId>org.apache.tomcat.embed</groupId> 

            <groupId>org.apache.tomcat.embed</groupId> 

        </dependency> 

    <tomcat-embed.version>9.0.36</tomcat-embed.version> 

    <tomcat-embed.version>8.5.56</tomcat-embed.version> 

        </dependency> 

            <artifactId>tomcat-embed-websocket</artifactId> 

Spring Cloud Finchley / Spring Boot 2.0.x

        <dependency> 

        </dependency> 

            <version>${tomcat-embed.version}</version> 

</dependencyManagement> 

        <dependency> 

</parent> 

<properties> 

Spring Boot [2.1.0.RELEASE - 2.1.14.RELEASE] 版本受到阻碍。

严峻程度: 重要

    </dependencies> 

    <dependencies> 

            <artifactId>tomcat-embed-core</artifactId> 

            <version>${tomcat-embed.version}</version> 

        </dependency> 

    <version>2.3.1.RELEASE</version> 

            <groupId>org.apache.tomcat.embed</groupId> 

</parent> 

            <version>${tomcat-embed.version}</version> 

 

2. 升级Tomcat

Spring Boot [2.0.0.RELEASE - 2.0.9.RELEASE] 版本受到阻碍。

03 升级方案

为了幸免上述漏洞,现有两种升级方案:

    <dependencies> 

    <groupId>org.springframework.boot</groupId> 

        </dependency> 

            <artifactId>tomcat-embed-el</artifactId> 

%3Cfd56bc1d-1219-605b-99c7-946bf7bd8ad4@apache.org%3E

        <dependency> 

            <groupId>org.apache.tomcat.embed</groupId> 

            <version>${tomcat-embed.version}</version> 

            <groupId>org.apache.tomcat.embed</groupId> 

漏洞详情链接:

            <version>${tomcat-embed.version}</version> 

升级Spring Cloud Hoxton / Spring Boot 2.2.x

1. 升级Spring Boot

    <groupId>org.springframework.boot</groupId> 

Spring Cloud [Hoxton.RELEASE - Hoxton.SR6] 版本受到阻碍。

        <dependency> 

</properties> 

        </dependency> 

            <artifactId>tomcat-embed-websocket</artifactId> 

Apache Tomcat 10.0.0-M6+

            <version>${tomcat-embed.version}</version> 

    <tomcat-embed.version>9.0.36</tomcat-embed.version> 

        <dependency> 

6月25日, Apache 官方安全团队经过邮件公开报告了一具高危漏洞,邮件中介绍了 HTTP/2 拒绝服务漏洞的细节及解决方案。如下图所示:

漏洞编号:CVE-2020-11996

        <dependency> 

 

受阻碍的版本:


DDoS防御

当前位置:主页 > CC防护 > Tomcat爆出安全漏洞!SpDDoS高防ring Cloud/Boot框架多个版本受阻碍

标签列表
DDoS防御
网站分类
X
 

QQ客服

400-0797-119