Spring官宣最新漏洞原文-中英版

Spring最新漏洞文章-中英版

资料

原文地址 : Spring Framework RCE, Early Announcement
发布时间 : 2022-03-32
作者: ROSSEN STOYANCHEV

Updates 更新

  • [15:40 BST] Spring Boot 2.6.6is available.
  • [14:38 BST] Spring Boot 2.5.12is available.
  • [14:00 BST] CVE-2022-22965is published.
  • [13:03 BST] Added section “Misconceptions”.
  • [12:34 BST] Added section “Am I Impacted”.
  • [12:11 BST] Fix minor issue in the workaround for adding disallowedFields.
  • [11:59 BST] Spring Framework versions 5.3.18 and 5.2.20, which address the vulnerability, are now available. The release process for Spring Boot is in progress.

【中文】

  • [15:40 BST] Spring Boot 2.6.6可用
  • [14:38 BST] Spring Boot 2.5.12可用
  • [14:00 BST] CVE-2022-22965已发布
  • [13:03 BST]添加了“误解”部分
  • [12:34 BST]添加了“我受到影响”部分
  • [12:11 BST]修复了添加disallowedFields
  • [11:59 BST] Spring Framework 版本5.3.18和5.2.20现已推出,可解决该漏洞。Spring Boot 的发布过程正在进行中

Overview 概述

【原文】I would like to announce an RCE vulnerability in the Spring Framework that was leaked out ahead of CVE publication. The issue was first reported to VMware late on Tuesday evening, close to Midnight, GMT time by codeplutos, meizjm3i of AntGroup FG. On Wednesday we worked through investigation, analysis, identifying a fix, testing, while aiming for emergency releases on Thursday. In the mean time, also on Wednesday, details were leaked in full detail online, which is why we are providing this update ahead of the releases and the CVE report.

【中文】我想宣布在 CVE 发布之前泄露的 Spring 框架中的一个 RCE 漏洞。该问题首先由 AntGroup FG 的 codeplutos, meizjm3i 于周二晚间,接近格林威治标准时间午夜时分向 VMware 报告。周三,我们进行了调查、分析、确定修复、测试,同时瞄准周四的紧急发布。与此同时,同样在周三,详细信息已在网上全面泄露,这就是我们在发布和 CVE 报告之前提供此更新的原因。

Vulnerability 漏洞

【原文】The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

【中文】该漏洞影响在 JDK 9+ 上运行的 Spring MVC 和 Spring WebFlux 应用程序。具体的利用需要应用程序作为 WAR 部署在 Tomcat 上运行。如果应用程序被部署为 Spring Boot 可执行 jar,即默认值,则它不易受到漏洞利用。但是,该漏洞的性质更为普遍,可能还有其他方法可以利用它。

Am I Impacted? 你受到影响了吗?

These are the requirements for the specific scenario from the report:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
  • spring-webmvc or spring-webflux dependency
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions

However, the nature of the vulnerability is more general, and there may be other ways to exploit it that have not been reported yet.

【中文】这些是报告中特定场景的要求:

  • JDK 9 或更高版本
  • Apache Tomcat 作为 Servlet 容器
  • 打包为传统的 WAR(与 Spring Boot 可执行 jar 相比)
  • spring-webmvcspring-webflux 依赖
  • Spring Framework 版本 5.3.0 到 5.3.17、5.2.0 到 5.2.19 以及更早的版本

但是,该漏洞的性质更为普遍,可能还有其他尚未报告的利用方法。

Status 状态

  • Spring Framework 5.3.18 and 5.2.20, which contain the fixes, have been released
  • Spring Boot 2.6.6 and 2.5.12 that depend on Spring Framework 5.3.18 have been released.
  • CVE-2022-22965 has been published

【中文】

  • 包含修复的 Spring Framework 5.3.18 和 5.2.20 已发布
  • 依赖 Spring Framework 5.3.18 的 Spring Boot 2.6.6 和 2.5.12 已经发布。
  • CVE-2022-22965 已发布

NOTE: If you’re able to upgrade to Spring Framework 5.3.18 and 5.2.20, you do not need this section.
The leaked reports recommend setting disallowedFields on WebDataBinder through an @ControllerAdvice:

【中文】注意:如果您能够升级到 Spring Framework 5.3.18和5.2.20,则不需要此部分
泄露的报告建议disallowedFields通过WebDataBinder以下方式设置@ControllerAdvice

@ControllerAdvice
@Order(Ordered.LOWEST_PRECEDENCE)
public class BinderControllerAdvice {

    @InitBinder
    public void setAllowedFields(WebDataBinder dataBinder) {
         String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"};
         dataBinder.setDisallowedFields(denylist);
    }
}

This works generally, but as a centrally applied workaround fix, may leave some loopholes, in particular if a controller sets disallowedFields locally through its own @InitBinder method, which overrides the global setting.

To apply the workaround in a more fail-safe way, applications could extend RequestMappingHandlerAdapter to update the WebDataBinder at the end after all other initialization. In order to do that, a Spring Boot application can declare a WebMvcRegistrations bean (Spring MVC) or a WebFluxRegistrations bean (Spring WebFlux).

For example in Spring MVC (and similar in WebFlux):

【中文】这通常有效,但作为集中应用的解决方法修复,可能会留下一些漏洞,特别是如果控制器disallowedFields通过其自己的方法在本地@InitBinder设置,这会覆盖全局设置。

为了以更安全的方式应用解决方法,应用程序可以扩展以在所有其他初始化之后RequestMappingHandlerAdapter更新最后。WebDataBinder为此,Spring Boot 应用程序可以声明一个WebMvcRegistrationsbean (Spring MVC) 或一个WebFluxRegistrationsbean (Spring WebFlux)。

例如在 Spring MVC 中(在 WebFlux 中类似):

package car.app;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.autoconfigure.web.servlet.WebMvcRegistrations;
import org.springframework.context.annotation.Bean;
import org.springframework.web.bind.ServletRequestDataBinder;
import org.springframework.web.context.request.NativeWebRequest;
import org.springframework.web.method.annotation.InitBinderDataBinderFactory;
import org.springframework.web.method.support.InvocableHandlerMethod;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter;
import org.springframework.web.servlet.mvc.method.annotation.ServletRequestDataBinderFactory;


@SpringBootApplication
public class MyApp {


	public static void main(String[] args) {
		SpringApplication.run(CarApp.class, args);
	}


	@Bean
	public WebMvcRegistrations mvcRegistrations() {
		return new WebMvcRegistrations() {
			@Override
			public RequestMappingHandlerAdapter getRequestMappingHandlerAdapter() {
				return new ExtendedRequestMappingHandlerAdapter();
			}
		};
	}


	private static class ExtendedRequestMappingHandlerAdapter extends RequestMappingHandlerAdapter {

		@Override
		protected InitBinderDataBinderFactory createDataBinderFactory(List<InvocableHandlerMethod> methods) {

			return new ServletRequestDataBinderFactory(methods, getWebBindingInitializer()) {

				@Override
				protected ServletRequestDataBinder createBinderInstance(
						Object target, String name, NativeWebRequest request) throws Exception {
					
					ServletRequestDataBinder binder = super.createBinderInstance(target, name, request);
					String[] fields = binder.getDisallowedFields();
					List<String> fieldList = new ArrayList<>(fields != null ? Arrays.asList(fields) : Collections.emptyList());
					fieldList.addAll(Arrays.asList("class.*", "Class.*", "*.class.*", "*.Class.*"));
					binder.setDisallowedFields(fieldList.toArray(new String[] {}));
					return binder;
				}
			};
		}
	}
}

For Spring MVC without Spring Boot, an application can switch from @EnableWebMvc to extending DelegatingWebMvcConfiguration directly as described in Advanced Config section of the documentation, then overriding the createRequestMappingHandlerAdapter method.

【中文】对于没有 Spring Boot 的 Spring MVC,应用程序可以从文档的高级配置部分中描述的直接@EnableWebMvc扩展,然后覆盖该方法。DelegatingWebMvcConfiguration createRequestMappingHandlerAdapter

Misconceptions 误解

There was speculation surrounding the commit to deprecate SerializationUtils. This class has only one usage within the framework and is not exposed to external input. The deprecation is unrelated to this vulnerability.

There was confusion with a CVE for Spring Cloud Functionwhich was released just before the report for this vulnerability. It is also unrelated.

【中文】围绕 deprecate 的承诺存在猜测SerializationUtils。此类在框架内只有一种用途,并且不暴露于外部输入。弃用与此漏洞无关。

在报告此漏洞之前发布的 Spring Cloud Function 的 CVE 存在混淆。这也是无关的。

Further Updates 进一步更新

When the releases are ready, we will post another blog on this site, to announce their availability. So please continue to watch https://spring.io/blog. We may also update this blog post, if there are any corrections to be made, and in that case we’ll clearly call those out at the top.

comments powered by Disqus

【中文】
当版本准备就绪时,我们将在此站点上发布另一个博客,以宣布它们的可用性。所以请继续关注https://spring.io/blog。如果有任何更正,我们也可能会更新此博客文章,在这种情况下,我们会在顶部明确指出这些内容。

评论由Disqus提供支持

PS : 以上仅仅是我今天看到文章供大家学习下;如果有侵权请联系我,我把文章及时删除~

最后
大家可以关注下;一个不定时更新文章 and 假装喜欢英语的程序员;
Spring官宣最新漏洞原文-中英版_第1张图片

你可能感兴趣的:(spring,mvc,springboot,spring,boot)