CVE-2022-22965: Spring 5.2.22.RELEASE 、5.3.18 及以上版本修复了此漏洞。
CVE-2022-22971 CVE-2022-22970 CVE-2022-22968 CVE-2022-22965:Spring 4.3.30、5.0.20、5.1.20 有这4个漏洞。
CVE-2022-27772: Springboot 2.2.11.RELEASE及以上版本修复了此漏洞。版本低于此版本都有漏洞。
| Springboot | Spring Core | Spring Cloud | 安全版本 | description |
|---|---|---|---|---|
| 3.0.1 | 6.0.3 | 2022.0.0 | 是 | JDK 17, Gradle 7.5,Hibernate 6.1,Tomcat 10 |
| 2.7.7 | 5.3.24 | 2021.0.5 | 是 | 优先考虑2.6升级到 2.7 版本 |
| 2.6.14 | 5.3.24 | 2021.0.5 | 是 | |
| 2.5.14 | 5.3.24 | 2020.0.6 | 是 | 优先考虑2.4升级到 2.5 版本 |
| 2.4.13 | 5.3.24 | 2020.0.6 | 是 | |
| 2.3.12.RELEASE | 5.2.22.RELEASE | Hoxton.SR12 | 是 | 优先考虑2.2升级到 2.3 版本 |
| 2.2.13.RELEASE | 5.2.22.RELEASE | Hoxton.SR12 | 是 | |
| 2.1.18.RELEASE* | 5.1.20.RELEASE* | Greenwich.SR6 | 否 | |
| 2.0.9.RELEASE* | 5.0.20.RELEASE* | Finchley.SR4 | 否 | |
| 1.5.22.RELEASE* | 4.3.30.RELEASE* | Edgware.SR6 | 否 |
标星号为存在安全漏洞的版本。
JDK 17 最低要求为 spring boot 2.5.5 版本。
https://mvnrepository.com/artifact/org.springframework.boot/spring-boot
https://mvnrepository.com/artifact/org.springframework/spring-core
https://mvnrepository.com/search?q=spring-cloud-dependencies
CVE-2022-22965 关键修复代码:
https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15
spring-beans/src/main/java/org/springframework/beans/CachedIntrospectionResults.java
@@ -22,6 +22,7 @@
+import java.security.ProtectionDomain;
@@ -286,9 +287,13 @@ private CachedIntrospectionResults(Class<?> beanClass) throws BeansException {
// This call is slow so we do it once.
PropertyDescriptor[] pds = this.beanInfo.getPropertyDescriptors();
for (PropertyDescriptor pd : pds) {
- if (Class.class == beanClass &&
- ("classLoader".equals(pd.getName()) || "protectionDomain".equals(pd.getName()))) {
- // Ignore Class.getClassLoader() and getProtectionDomain() methods - nobody needs to bind to those
+ if (Class.class == beanClass && (!"name".equals(pd.getName()) && !pd.getName().endsWith("Name"))) {
+ // Only allow all name variants of Class properties
+ continue;
+ }
+ if (pd.getPropertyType() != null && (ClassLoader.class.isAssignableFrom(pd.getPropertyType())
+ || ProtectionDomain.class.isAssignableFrom(pd.getPropertyType()))) {
+ // Ignore ClassLoader and ProtectionDomain types - nobody needs to bind to those
continue;
}
if (logger.isTraceEnabled()) {
@@ -337,6 +342,11 @@ private void introspectInterfaces(Class<?> beanClass, Class<?> currClass, Set<St
// GenericTypeAwarePropertyDescriptor leniently resolves a set* write method
// against a declared read method, so we prefer read method descriptors here.
pd = buildGenericTypeAwarePropertyDescriptor(beanClass, pd);
+ if (pd.getPropertyType() != null && (ClassLoader.class.isAssignableFrom(pd.getPropertyType())
+ || ProtectionDomain.class.isAssignableFrom(pd.getPropertyType()))) {
+ // Ignore ClassLoader and ProtectionDomain types - nobody needs to bind to those
+ continue;
+ }
this.propertyDescriptors.put(pd.getName(), pd);
Method readMethod = pd.getReadMethod();
if (readMethod != null) {
参考:
https://spring.io/projects/spring-cloud
https://www.cnblogs.com/huaweiyun/p/16143760.html
网友评论