6月25日, Apache 官方安全团队通过邮件公开报告了一个高危漏洞,邮件中介绍了 HTTP/2 拒绝服务漏洞的细节及解决方案。如下图所示:
漏洞详情链接:
漏洞描述:一个特别制作的 HTTP/2 请求序列,在短短数秒内能导致 CPU 满负载率,如果有足够数量多的此类请求连接(HTTP/2)并发放在服务器上,服务器可能会失去响应。
如果条件允许,可以通过升级到Tomcat新版本来解决漏洞。下面为受影响版本对应的安全版本:
Apache Tomcat HTTP/2 拒绝服务漏洞也给Spring Cloud / Boot 框架带来了一定的影响。下面是所有受影响的版本列表,大家可以查看并对照下自己的代码,看看是否受到影响。
为了避免上述漏洞,现有两种升级方案:
直接升级Spring Boot版本。
手动升级Tomcat版本。
Edgware无法通过升级Spring Boot版本解决问题。=
<properties> <tomcat-embed.version>8.5.56</tomcat-embed.version> </properties> <dependencyManagement> <dependencies> <dependency> <groupId>org.apache.tomcat.embed</groupId> <artifactId>tomcat-embed-core</artifactId> <version>${tomcat-embed.version}</version> </dependency> <dependency> <groupId>org.apache.tomcat.embed</groupId> <artifactId>tomcat-embed-el</artifactId> <version>${tomcat-embed.version}</version> </dependency> <dependency> <groupId>org.apache.tomcat.embed</groupId> <artifactId>tomcat-embed-websocket</artifactId> <version>${tomcat-embed.version}</version> </dependency> <dependency> <groupId>org.apache.tomcat</groupId> <artifactId>tomcat-annotations-api</artifactId> <version>${tomcat-embed.version}</version> </dependency> </dependencies> </dependencyManagement>
Finchley无法通过升级Spring Boot版本解决问题。
<properties> <tomcat-embed.version>8.5.56</tomcat-embed.version> </properties> <dependencyManagement> <dependencies> <dependency> <groupId>org.apache.tomcat.embed</groupId> <artifactId>tomcat-embed-core</artifactId> <version>${tomcat-embed.version}</version> </dependency> <dependency> <groupId>org.apache.tomcat.embed</groupId> <artifactId>tomcat-embed-el</artifactId> <version>${tomcat-embed.version}</version> </dependency> <dependency> <groupId>org.apache.tomcat.embed</groupId> <artifactId>tomcat-embed-websocket</artifactId> <version>${tomcat-embed.version}</version> </dependency> </dependencies> </dependencyManagement>
<parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.1.15.RELEASE</version> </parent>
<properties> <tomcat-embed.version>9.0.36</tomcat-embed.version> </properties> <dependencyManagement> <dependencies> <dependency> <groupId>org.apache.tomcat.embed</groupId> <artifactId>tomcat-embed-core</artifactId> <version>${tomcat-embed.version}</version> </dependency> <dependency> <groupId>org.apache.tomcat.embed</groupId> <artifactId>tomcat-embed-el</artifactId> <version>${tomcat-embed.version}</version> </dependency> <dependency> <groupId>org.apache.tomcat.embed</groupId> <artifactId>tomcat-embed-websocket</artifactId> <version>${tomcat-embed.version}</version> </dependency> </dependencies> </dependencyManagement>
<parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.2.8.RELEASE</version> </parent>
<properties> <tomcat-embed.version>9.0.36</tomcat-embed.version> </properties> <dependencyManagement> <dependencies> <dependency> <groupId>org.apache.tomcat.embed</groupId> <artifactId>tomcat-embed-core</artifactId> <version>${tomcat-embed.version}</version> </dependency> <dependency> <groupId>org.apache.tomcat.embed</groupId> <artifactId>tomcat-embed-el</artifactId> <version>${tomcat-embed.version}</version> </dependency> <dependency> <groupId>org.apache.tomcat.embed</groupId> <artifactId>tomcat-embed-websocket</artifactId> <version>${tomcat-embed.version}</version> </dependency> </dependencies> </dependencyManagement>
<parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.3.1.RELEASE</version> </parent>
<properties> <tomcat-embed.version>9.0.36</tomcat-embed.version> </properties> <dependencyManagement> <dependencies> <dependency> <groupId>org.apache.tomcat.embed</groupId> <artifactId>tomcat-embed-core</artifactId> <version>${tomcat-embed.version}</version> </dependency> <dependency> <groupId>org.apache.tomcat.embed</groupId> <artifactId>tomcat-embed-websocket</artifactId> <version>${tomcat-embed.version}</version> </dependency> </dependencies></dependencyManagement>