Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: CVE-2024-22243 & CVE-2024-22259 Upgrade Spring Web to 5.3.33 #11833

Merged
merged 1 commit into from Apr 1, 2024
Merged

fix: CVE-2024-22243 & CVE-2024-22259 Upgrade Spring Web to 5.3.33 #11833

merged 1 commit into from Apr 1, 2024

Conversation

cxhello
Copy link
Contributor

@cxhello cxhello commented Mar 15, 2024
edited

What is the purpose of the change

Closes #11811

Brief changelog

XX

Verifying this change

XXXX

Follow this checklist to help us incorporate your contribution quickly and easily:

  • Make sure there is a Github issue filed for the change (usually before you start working on it). Trivial changes like typos do not require a Github issue. Your pull request should address just this issue, without pulling in other changes - one PR resolves one issue.
  • Format the pull request title like [ISSUE #123] Fix UnknownException when host config not exist. Each commit in the pull request should have a meaningful subject line and body.
  • Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
  • Write necessary unit-test to verify your logic correction, more mock a little better when cross module dependency exist. If the new feature or significant change is committed, please remember to add integration-test in test module.
  • Run mvn -B clean package apache-rat:check findbugs:findbugs -Dmaven.test.skip=true to make sure basic checks pass. Run mvn clean install -DskipITs to make sure unit-test pass. Run mvn clean test-compile failsafe:integration-test to make sure integration-test pass.

KomachiSion
KomachiSion requested changes Mar 15, 2024
View reviewed changes
Copy link
Collaborator

@KomachiSion KomachiSion left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

这样的修复方式是否正确?

我理解spring-web应该是基于spring-boot引入的,看下是否能通过升级spring-boot版本来解决?

@cxhello
Copy link
Contributor Author

cxhello commented Mar 15, 2024
edited

是由 Spring Boot 引入,目前我看使用的版本是2.7.18,是Spring Boot 2 的最后一个版本。如果升级只能升级为3.0,改动应该比较大。所以我在依赖管理中重新定义了 Spring Web 的版本。

https://docs.spring.io/spring-boot/docs/2.7.18/reference/html/dependency-versions.html#appendix.dependency-versions

我理解没声明 spring-web 版本时会使用 Spring Boot 依赖的版本,如果声明了版本会使用自己声明的。

@lzysuqianqiu
Copy link

Now need to upgrade to 5.3.33 to solve simialr CVE

@KomachiSion
Copy link
Collaborator

是由 Spring Boot 引入,目前我看使用的版本是2.7.18,是Spring Boot 2 的最后一个版本。如果升级只能升级为3.0,改动应该比较大。所以我在依赖管理中重新定义了 Spring Web 的版本。

https://docs.spring.io/spring-boot/docs/2.7.18/reference/html/dependency-versions.html#appendix.dependency-versions

我理解没声明 spring-web 版本时会使用 Spring Boot 依赖的版本,如果声明了版本会使用自己声明的。

可以用mvn dependency:tree 看一下修改的是否生效,如果生效的话就这么修改一下。

@cxhello cxhello force-pushed the develop branch 2 times, most recently from 84deabe to 980750c Compare March 20, 2024 03:21
@cxhello cxhello changed the title fix: CVE-2024-22243 Upgrade Spring Web to 5.3.32 fix: CVE-2024-22243 & CVE-2024-22259 Upgrade Spring Web to 5.3.33 Mar 20, 2024
@cxhello
Copy link
Contributor Author

cxhello commented Mar 20, 2024

@KomachiSion

image

@KomachiSion KomachiSion merged commit 19a857b into alibaba:develop Apr 1, 2024
7 checks passed
@KomachiSion KomachiSion added the dependencies Pull requests that update a dependency file label Apr 1, 2024
@KomachiSion KomachiSion added this to the 2.4.0 milestone Apr 1, 2024
@ICE-GB
Copy link
Contributor

ICE-GB commented Apr 1, 2024 

<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-framework-bom</artifactId>
    <version>5.3.33</version>
    <scope>import</scope>
    <type>pom</type>
</dependency>

https://docs.spring.io/spring-boot/docs/2.7.18/reference/html/dependency-versions.html#appendix.dependency-versions:~:text=Spring%20Framework,spring%2Dframework.version

是否直接修改整体的spring-framework.version会更好一些呢?可以统一升级spring-framework的版本,避免只升级单个依赖可能引起的不兼容问题

@cxhello
Copy link
Contributor Author

cxhello commented Apr 1, 2024

@ICE-GB 我理解社区后期会升到SpringBoot 3.0,这是暂时为了修复CVE的一个方案。目前使用的版本是2.7.18,依赖 spring-framework 5.3.31,升级到5.3.33,相当于修订版本升级,应该没有兼容问题。

@ICE-GB
Copy link
Contributor

ICE-GB commented Apr 1, 2024

@ICE-GB 我理解社区后期会升到SpringBoot 3.0,这是暂时为了修复CVE的一个方案。目前使用的版本是2.7.18,依赖 spring-framework 5.3.31,升级到5.3.33,相当于修订版本升级,应该没有兼容问题。

如果是暂时性修复那没什么问题,主要是单独一个依赖放在那里,可能会被其他开发人员忽略,导致后续升级时忘掉这个东西

@cxhello
Copy link
Contributor Author

cxhello commented Apr 1, 2024

@ICE-GB 恩,确实存在这种现象。不过这也是没法避免的。需要开发人员仔细一点。就像#11904 也存在漏洞,不升级 SpringBoot 的话也是要单独升级 Spring Security。

@KomachiSion KomachiSion modified the milestones: 2.4.0, 2.3.2 Apr 2, 2024
@cxhello
Copy link
Contributor Author

cxhello commented Apr 8, 2024

@ICE-GB 已采用你说的方式提了PR,代码已被社区合并。#11914

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@KomachiSion KomachiSion KomachiSion approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
2.3.2
Development

Successfully merging this pull request may close these issues.

nacos依赖的 Spring Web新 UriComponentsBuilder URL解析不当漏洞(CVE-2024-22243)
4 participants
@cxhello @lzysuqianqiu @KomachiSion @ICE-GB