Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

CVE-2024-38816 漏洞 #12686

Closed
Boranget opened this issue Sep 25, 2024 · 10 comments
Closed

CVE-2024-38816 漏洞 #12686

Boranget opened this issue Sep 25, 2024 · 10 comments
Labels
contribution welcome dependencies Pull requests that update a dependency file

Comments

@Boranget
Copy link

nacos开发组你们好:
我们的项目使用了Nacos 2.4.2,今天进行漏洞扫描时扫到了漏洞 CVE-2024-38816,描述如下:

软件:spring 5.3.39
命中:["spring version less than equals 5.3.39"]
路径:C:\startup\nacos2.4.2\nacos\target\nacos-server.jar(BOOT-INF/lib/spring-core-5.3.39.jar)
扩展信息:{"jdk_version": ""}

我查看了最新版本的nacos所依赖的版本仍是5.3.39
望尽快修复。
@Bo-Qiu
Copy link
Contributor

Bo-Qiu commented Sep 25, 2024

I'll fix it.

Bo-Qiu added a commit to Bo-Qiu/nacos that referenced this issue Sep 25, 2024
@Bo-Qiu
fix(alibaba#12686): fix for CVE-2024-38816
f8daa55
@Bo-Qiu Bo-Qiu mentioned this issue Sep 25, 2024
Closed
@Bo-Qiu
Copy link
Contributor

Bo-Qiu commented Sep 25, 2024

https://enterprise.spring.io/projects/spring-framework/changelog/5.3.40

@Bo-Qiu
Copy link
Contributor

Bo-Qiu commented Sep 25, 2024

https://spring.io/security/cve-2024-38816
5.3.40 [Enterprise Support Only]

@IvanWhisper
Copy link

大概什么时候能出补丁?

@Bo-Qiu
Copy link
Contributor

Bo-Qiu commented Sep 26, 2024

大概什么时候能出补丁?

Spring 团队针对 5.3.X 大概率不会出开源版本的补丁了,目前提供的 5.3.40 是 [Enterprise Support Only] 的。

OSS 只修复了 6.1.�X 的。

目前可通过如下方式解决:
较旧、不受支持的版本的用户可以在其应用程序中启用 Spring Security 的防火墙,或者切换到使用 Tomcat 或 Jetty 作为 Web 服务器,因为它们会拒绝此类恶意请求。

FYI https://spring.io/security/cve-2024-38816

@KomachiSion
Copy link
Collaborator

看漏洞描述, nacos应该不受此漏洞的影响, nacos使用的是tomcat而不是webflux. 而且Spring并未发布此问题的社区版修复的。

因此暂时可能无法修复次问题。

后续Nacos 3.0 应该会升级成spring boot3的, 届时spring的漏洞应该都能清除。

@KomachiSion KomachiSion added dependencies Pull requests that update a dependency file status/wontfix This will not be worked on labels Sep 27, 2024
@KomachiSion KomachiSion closed this as not planned Won't fix, can't repro, duplicate, stale Oct 10, 2024
@jaoyina
Copy link

jaoyina commented Oct 10, 2024

大概什么时候能出补丁?

Spring 团队针对 5.3.X 大概率不会出开源版本的补丁了,目前提供的 5.3.40 是 [Enterprise Support Only] 的。

OSS 只修复了 6.1.�X 的。

目前可通过如下方式解决: 较旧、不受支持的版本的用户可以在其应用程序中启用 Spring Security 的防火墙,或者切换到使用 Tomcat 或 Jetty 作为 Web 服务器,因为它们会拒绝此类恶意请求。

FYI https://spring.io/security/cve-2024-38816

如果是用的springboot内置tomcat作为服务器的,是不是也不受影响?

@rock007
Copy link

rock007 commented Nov 1, 2024

如果是用的springboot内置tomcat作为服务器的,是不是也不受影响?

@KomachiSion KomachiSion mentioned this issue Nov 4, 2024
Closed
@KomachiSion KomachiSion removed the status/wontfix This will not be worked on label Nov 4, 2024
@KomachiSion KomachiSion reopened this Nov 4, 2024
@KomachiSion
Copy link
Collaborator

spring 应该发布了 5.8.15, 欢迎提交PR 升级对应security 版本

Bo-Qiu added a commit to Bo-Qiu/nacos that referenced this issue Nov 4, 2024
@Bo-Qiu
fix(alibaba#12686): Upgrade Spring Security version to 5.8.15.
4f4a237
@Bo-Qiu Bo-Qiu mentioned this issue Nov 4, 2024
Merged
KomachiSion pushed a commit that referenced this issue Nov 5, 2024
@Bo-Qiu
fix(#12686): Upgrade Spring Security version to 5.8.15. (#12819)
2c1a511
@KomachiSion
Copy link
Collaborator

spring-security 已经升级到5.8.15了, 可能需要查看一下兼容性, nacos不怎么依赖spring-security,理论上没什么太大影响,但是还是希望社区同学多测试一下看看。

lucky8987 pushed a commit to lucky8987/nacos that referenced this issue Nov 8, 2024
@Bo-Qiu @lucky8987
fix(alibaba#12686): Upgrade Spring Security version to 5.8.15. (aliba…
4c7247b 
…ba#12819)
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
contribution welcome dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@rock007 @jaoyina @IvanWhisper @KomachiSion @Bo-Qiu @Boranget