In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-03 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
I had a rest two days ago, but there was a loophole at this time. I had a thump in my heart. I hope that bloggers who pay attention to it can pay attention to it.
1. Time:
2017-4-17
2. Loopholes:
Jackson framework Java deserializes remote code execution vulnerabilities. Jackson can easily convert Java objects into json objects and xml documents, as well as json and xml into Java objects.
3. Vulnerability analysis:
Jackson is an open source java serialization and deserialization tool framework that serializes java objects into strings in xml and json formats and the corresponding deserialization process. Because of its high parsing efficiency, it is currently a built-in parsing method in Spring MVC. The vulnerability is triggered when the enableDefaultTyping method is called before ObjectMapper deserialization. This method allows the class name of the deserialized java object to be specified in the json string, while deserialization vulnerabilities can be triggered when Object, Map, List, and so on.
4. Affect the version:
Jackson Version 2.7.*
< 2.7.10 Jackson Version 2.8.* < 2.8.9 5、漏洞来源:绿盟科技 国家信息安全漏洞共享平台(CNVD) 严重性:***者利用漏洞可在服务器主机上执行任意代码或系统指令,取得网站服务器的控制权。 6、修补方式: 更新到2.7.10或2.8.9版本(但官网目前我试过打不开,新版本并未更新) 手动修改2.7.*,2.8.*以及master分支的代码来防护该漏洞. 7、Github参考: https://github.com/FasterXML/jacksondatabind/commit/fd8dec2c7fab8b4b4bd60502a0f1d63ec23c24da 8、合作:运维排查,开发修改。 9、开发给的建议:10. Reminder: pay attention to safety and be careful.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.