struts2.3.23升级到struts2.3.32
来源:互联网 发布:学directx编程要多久 编辑:程序博客网 时间:2024/05/18 03:21
新的漏洞
3月8号去审计厅培训系统的使用,那边计算机中心的负责人递过来一张如下图所示的文档,意思是发现了struts2的漏洞,需要进行修复。
在培训前,我登录到服务器中,看到了项目中,所有的服务器中应用的都是struts2.3.20版本,于是默默地答应进行升级,在我心里,struts2出现漏洞是很正常的事情。。
升级准备
升级前,系统项目各个jar包的版本如下:
<!-- https://mvnrepository.com/artifact/antlr/antlr --><dependency> <groupId>antlr</groupId> <artifactId>antlr</artifactId> <version>2.7.7</version></dependency><!-- https://mvnrepository.com/artifact/aopalliance/aopalliance --><dependency> <groupId>aopalliance</groupId> <artifactId>aopalliance</artifactId> <version>1.0</version></dependency><!-- https://mvnrepository.com/artifact/aspectj/aspectjrt --><dependency> <groupId>aspectj</groupId> <artifactId>aspectjrt</artifactId> <version>1.5.4</version></dependency><!-- https://mvnrepository.com/artifact/org.aspectj/aspectjweaver --><dependency> <groupId>org.aspectj</groupId> <artifactId>aspectjweaver</artifactId> <version>1.5.4</version></dependency><!-- https://mvnrepository.com/artifact/com.mchange/c3p0 --><dependency> <groupId>com.mchange</groupId> <artifactId>c3p0</artifactId> <version>0.9.5</version></dependency><!-- https://mvnrepository.com/artifact/org.springframework/spring-context --><dependency> <groupId>org.springframework</groupId> <artifactId>spring-aop</artifactId> <version>4.2.0.RELEASE</version></dependency><dependency> <groupId>org.springframework</groupId> <artifactId>spring-aspects</artifactId> <version>4.2.0.RELEASE</version></dependency><dependency> <groupId>org.springframework</groupId> <artifactId>spring-beans</artifactId> <version>4.2.0.RELEASE</version></dependency><dependency> <groupId>org.springframework</groupId> <artifactId>spring-context</artifactId> <version>4.2.0.RELEASE</version></dependency><dependency> <groupId>org.springframework</groupId> <artifactId>spring-context-support</artifactId> <version>4.2.0.RELEASE</version></dependency><dependency> <groupId>org.springframework</groupId> <artifactId>spring-core</artifactId> <version>4.2.0.RELEASE</version></dependency><dependency> <groupId>org.springframework</groupId> <artifactId>spring-expression</artifactId> <version>4.2.0.RELEASE</version></dependency><dependency> <groupId>org.springframework</groupId> <artifactId>spring-jdbc</artifactId> <version>4.2.0.RELEASE</version></dependency><dependency> <groupId>org.springframework</groupId> <artifactId>spring-orm</artifactId> <version>4.2.0.RELEASE</version></dependency><dependency> <groupId>org.springframework</groupId> <artifactId>spring-jms</artifactId> <version>4.2.0.RELEASE</version></dependency><dependency> <groupId>org.springframework</groupId> <artifactId>spring-oxm</artifactId> <version>4.2.0.RELEASE</version></dependency><dependency> <groupId>org.springframework</groupId> <artifactId>spring-test</artifactId> <version>4.2.0.RELEASE</version></dependency><dependency> <groupId>org.springframework</groupId> <artifactId>spring-tx</artifactId> <version>4.2.0.RELEASE</version></dependency><dependency> <groupId>org.springframework</groupId> <artifactId>spring-web</artifactId> <version>4.2.0.RELEASE</version></dependency><dependency> <groupId>org.springframework</groupId> <artifactId>spring-webmvc</artifactId> <version>4.2.0.RELEASE</version></dependency><dependency> <groupId>org.springframework</groupId> <artifactId>spring-webmvc-portlet</artifactId> <version>4.2.0.RELEASE</version></dependency><dependency> <groupId>org.springframework</groupId> <artifactId>spring-websocket</artifactId> <version>4.2.0.RELEASE</version></dependency><dependency> <groupId>org.apache.struts</groupId> <artifactId>struts2-core</artifactId> <version>2.3.23</version></dependency><dependency> <groupId>org.apache.struts</groupId> <artifactId>struts2-json-plugin</artifactId> <version>2.3.23</version></dependency><dependency> <groupId>org.apache.struts</groupId> <artifactId>struts2-spring-plugin</artifactId> <version>2.3.23</version></dependency><dependency> <groupId>org.freemarker</groupId> <artifactId>freemarker</artifactId> <version>2.3.23</version></dependency>
根据发出的通告可知,目前安全的是struts2.3.32
和struts2.5.10.1
.昨天我的第一想法就是直接在maven中进行更改struts2的版本,而恶心的是,居然这两个版本都没有(我刚才看了一下,maven中央仓库中已经有了)。因此,我的做法是从struts官网直接下载的分发包来完成替换的。还好,现在已经在maven中央仓库发布了,主要涉及一下四个包:
<dependency> <groupId>org.apache.struts</groupId> <artifactId>struts2-core</artifactId> <version>2.3.23</version></dependency><dependency> <groupId>org.apache.struts</groupId> <artifactId>struts2-json-plugin</artifactId> <version>2.3.23</version></dependency><dependency> <groupId>org.apache.struts</groupId> <artifactId>struts2-spring-plugin</artifactId> <version>2.3.23</version></dependency><dependency> <groupId>org.freemarker</groupId> <artifactId>freemarker</artifactId> <version>2.3.23</version></dependency>
把相应的jar包替换完之后,就可以平稳地升级到struts2.3.32了。由于struts2.5变动比较大,暂时先不升级到struts2.5.10了。
漏洞说明
0 0
- struts2.3.23升级到struts2.3.32
- Struts2高位漏洞升级到struts2.3.32
- struts2.0升级到struts2.1
- struts2 2.2 升级到 struts2 2.3.15
- struts2.1.6升级到struts2.3.15.1
- struts2.1.6升级到struts2.3.15.1
- struts2.0升级到struts2.3.20
- struts2.3升级到struts2.5
- ssm项目升级 struts2.3.32升级到2.5.13
- struts2.3升级到2.5
- Struts2.3.15.1升级Struts2.3.32
- Struts2 升级
- struts2升级
- struts2.0升级到struts2.1.6遇到的问题汇总
- 关于struts2.3.4升级到struts2.3.15.2的问题
- Struts2.3.1升级到Struts2.3.24相关问题
- WebWork2升级到Struts2行动指南
- struts2升级到2.3.15.1总结
- MyEclipse配置Tomcat7
- django入门笔记
- 图解插入排序--直接插入排序
- uva 275 Expanding Fractions
- 移动端如何让页面强制横屏
- struts2.3.23升级到struts2.3.32
- git基本操作
- linux下的管道
- MyEclipse10.6 myeclipse2013下添加jadClipse反编译插件 .用于显示源码
- 如何用npm来安装jsx插件和安装fis插件
- Spring的BeanFactoryPostProcessor和BeanPostProcessor
- 华为oj初级 字符串通配符
- 做好微信公众号运营怎么能缺少这些帮手
- 友元探秘