Sonarqube正在报告undertow-core漏洞发现。如何解决

huangapple go评论98阅读模式
英文:

Sonarqube is throwing undertow-core vulnerability finding. How to resolve

问题

Sonarqube正在报告undertow-core漏洞发现。如何解决。

   "textRange": {
      "startLine": 1,
      "endLine": 1,
      "startOffset": 0,
      "endOffset": 38
    },
    "flows": [],
    "status": "OPEN",
    "message": "文件名:test-0.0.1-SNAPSHOT.jar:undertow-core-2.0.29.Final.jar 
| 参考:CVE-2020-1745 | CVSS评分:9.8 | 类别:CWE-200 | 在Undertow版本2.0.29.Final及之前的版本中,发现了文件包含漏洞,
在启用了默认AJP配置端口8009的AJP连接器中发现了这个漏洞,并在2.0.30.Final中修复了此问题。
远程的,未经身份验证的攻击者可以利用此漏洞从易受攻击的服务器中读取Web应用程序文件。
在易受攻击的服务器允许文件上传的情况下,攻击者可以在各种文件类型中上传恶意的JavaServer Pages(JSP)代码,
并触发此漏洞以实现远程代码执行。",

Undertow在pom中不可用,因为它是另一个依赖项(spring-boot-starter-undertow)的子项,
该依赖项已更新到最新版本2.3.3.RELEASE。有没有办法使spring-boot-starter具有特定版本的undertow?

[INFO] +- org.springframework.boot:spring-boot-starter-undertow:jar:2.3.3.RELEASE:compile
[INFO] |  +- io.undertow:undertow-core:jar:2.0.29.Final:compile
[INFO] |  |  +- org.jboss.xnio:xnio-api:jar:3.3.8.Final:compile
[INFO] |  |  \- org.jboss.xnio:xnio-nio:jar:3.3.8.Final:runtime

[INFO] |  +- io.undertow:undertow-servlet:jar:2.0.29.Final:compile
[INFO] |  +- io.undertow:undertow-websockets-jsr:jar:2.0.29.Final:compile
[INFO] |  |  \- org.jboss.spec.javax.websocket:jboss-websocket-api_1.1_spec:jar:1.1.4.Final:compile
[INFO] |  +- jakarta.servlet:jakarta.servlet-api:jar:4.0.3:compile
[INFO] |  \- org.glassfish:jakarta.el:jar:3.0.3:compile
英文:

Sonarqube is throwing undertow-core vulnerability finding. How to resolve.

   "textRange": {
      "startLine": 1,
      "endLine": 1,
      "startOffset": 0,
      "endOffset": 38
    },
    "flows": [],
    "status": "OPEN",
    "message": "Filename: test-0.0.1-SNAPSHOT.jar: undertow-core-2.0.29.Final.jar 
| Reference: CVE-2020-1745 | CVSS Score: 9.8 | Category: CWE-200 | A file inclusion 
vulnerability was found 
in the AJP connector enabled with a default AJP configuration port of 8009 in 
Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. A remote, 
unauthenticated attacker could exploit this vulnerability to read web application files 
from a vulnerable server. In instances where the vulnerable server allows file uploads, 
an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file 
types and trigger this vulnerability to gain remote code execution.",

Undertow isn't available on the pom, as it is a child of another dependency (spring-boot-starter-undertow, which is updated to the latest version of 2.3.3.RELEASE). Is there a way I can make spring-boot-starter have a specific version of undertow?



[INFO] +- org.springframework.boot:spring-boot-starter-undertow:jar:2.3.3.RELEASE:compile
[INFO] |  +- io.undertow:undertow-core:jar:2.0.29.Final:compile
[INFO] |  |  +- org.jboss.xnio:xnio-api:jar:3.3.8.Final:compile
[INFO] |  |  \- org.jboss.xnio:xnio-nio:jar:3.3.8.Final:runtime

[INFO] |  +- io.undertow:undertow-servlet:jar:2.0.29.Final:compile
[INFO] |  +- io.undertow:undertow-websockets-jsr:jar:2.0.29.Final:compile
[INFO] |  |  \- org.jboss.spec.javax.websocket:jboss-websocket-api_1.1_spec:jar:1.1.4.Final:compile
[INFO] |  +- jakarta.servlet:jakarta.servlet-api:jar:4.0.3:compile
[INFO] |  \- org.glassfish:jakarta.el:jar:3.0.3:compile

答案1

得分: 2

如果您需要特定版本的Undertow,请在您的pom.xml中包含它:

    <dependency>
      <groupId>io.undertow</groupId>
      <artifactId>undertow-core</artifactId>
      <version>2.0.30.Final</version>
    </dependency>


通过这样做,您将覆盖可能通过其他依赖项(包括Spring的依赖项)获取的任何其他版本。

如果您需要的版本已经包含在某个其他包的依赖项中,并且您宁愿让Spring使用该版本(而不是在pom中手动覆盖每个Undertow依赖项),您可以尝试[排除][1] starter 提供的那个版本:

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-actuator</artifactId>
        <version>2.3.3.RELEASE</version> <!-- 已经包含了 undertow 2.0.30 -->
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-undertow</artifactId>
      <version>2.3.3.RELEASE</version>
      <exclusions>
        <exclusion>
          <groupId>io.undertow</groupId>
          <artifactId>undertow-core</artifactId>
        </exclusion>
      </exclusions>
    </dependency>

如果按照上述操作,Spring将会使用spring-boot-actuator提供的undertow-core版本,而不是spring-boot-starter-undertow提供的版本。

  [1]: https://maven.apache.org/guides/introduction/introduction-to-optional-and-excludes-dependencies.html#dependency-exclusions
英文:

If you need a specific version of Undertow, just include it in your pom.xml:

&lt;dependency&gt;
  &lt;groupId&gt;io.undertow&lt;/groupId&gt;
  &lt;artifactId&gt;undertow-core&lt;/artifactId&gt;
  &lt;version&gt;2.0.30.Final&lt;/version&gt;
&lt;/dependency&gt;

By doing so, you will override any other versions that you might be getting via your other dependencies — including Spring's.

If the version you need is already included in some other package's dependencies and you'd rather have Spring use that one (instead of manually overriding every Undertow dependency in your pom), you may try to exclude just the one provided by the starter:

&lt;dependency&gt;
    &lt;groupId&gt;org.springframework.boot&lt;/groupId&gt;
    &lt;artifactId&gt;spring-boot-actuator&lt;/artifactId&gt;
    &lt;version&gt;2.3.3.RELEASE&lt;/version&gt; &lt;!-- already includes undertow 2.0.30 --&gt;
&lt;/dependency&gt;
&lt;dependency&gt;
  &lt;groupId&gt;org.springframework.boot&lt;/groupId&gt;
  &lt;artifactId&gt;spring-boot-starter-undertow&lt;/artifactId&gt;
  &lt;version&gt;2.3.3.RELEASE&lt;/version&gt;
  &lt;exclusions&gt;
    &lt;exclusion&gt;
      &lt;groupId&gt;io.undertow&lt;/groupId&gt;
      &lt;artifactId&gt;undertow-core&lt;/artifactId&gt;
    &lt;/exclusion&gt;
  &lt;/exclusions&gt;
&lt;/dependency&gt;

If you do the above, Spring will pick the undertow-core version provided by spring-boot-actuator instead of the one provided by spring-boot-starter-undertow.

huangapple
  • 本文由 发表于 2020年8月28日 09:11:39
  • 转载请务必保留本文链接:https://go.coder-hub.com/63626119.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定