Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2024-38816 漏洞 #12686

Closed
Boranget opened this issue Sep 25, 2024 · 10 comments
Closed

CVE-2024-38816 漏洞 #12686

Boranget opened this issue Sep 25, 2024 · 10 comments
Labels
contribution welcome dependencies Pull requests that update a dependency file

Comments

@Boranget
Copy link

nacos开发组你们好:
我们的项目使用了Nacos 2.4.2,今天进行漏洞扫描时扫到了漏洞 CVE-2024-38816,描述如下:

软件:spring 5.3.39
命中:["spring version less than equals 5.3.39"]
路径:C:\startup\nacos2.4.2\nacos\target\nacos-server.jar(BOOT-INF/lib/spring-core-5.3.39.jar)
扩展信息:{"jdk_version": ""}

我查看了最新版本的nacos所依赖的版本仍是5.3.39
望尽快修复。
@Bo-Qiu
Copy link
Contributor

Bo-Qiu commented Sep 25, 2024

I'll fix it.

Bo-Qiu added a commit to Bo-Qiu/nacos that referenced this issue Sep 25, 2024
@Bo-Qiu
fix(alibaba#12686): fix for CVE-2024-38816
f8daa55
@Bo-Qiu Bo-Qiu mentioned this issue Sep 25, 2024
Closed
@Bo-Qiu
Copy link
Contributor

Bo-Qiu commented Sep 25, 2024

https://enterprise.spring.io/projects/spring-framework/changelog/5.3.40

@Bo-Qiu
Copy link
Contributor

Bo-Qiu commented Sep 25, 2024

https://spring.io/security/cve-2024-38816
5.3.40 [Enterprise Support Only]

@IvanWhisper
Copy link

大概什么时候能出补丁?

@Bo-Qiu
Copy link
Contributor

Bo-Qiu commented Sep 26, 2024

大概什么时候能出补丁?

Spring 团队针对 5.3.X 大概率不会出开源版本的补丁了,目前提供的 5.3.40 是 [Enterprise Support Only] 的。

OSS 只修复了 6.1.�X 的。

目前可通过如下方式解决:
较旧、不受支持的版本的用户可以在其应用程序中启用 Spring Security 的防火墙,或者切换到使用 Tomcat 或 Jetty 作为 Web 服务器,因为它们会拒绝此类恶意请求。

FYI https://spring.io/security/cve-2024-38816

@KomachiSion
Copy link
Collaborator

看漏洞描述, nacos应该不受此漏洞的影响, nacos使用的是tomcat而不是webflux. 而且Spring并未发布此问题的社区版修复的。

因此暂时可能无法修复次问题。

后续Nacos 3.0 应该会升级成spring boot3的, 届时spring的漏洞应该都能清除。

@KomachiSion KomachiSion added dependencies Pull requests that update a dependency file status/wontfix This will not be worked on labels Sep 27, 2024
@KomachiSion KomachiSion closed this as not planned Won't fix, can't repro, duplicate, stale Oct 10, 2024
@jaoyina
Copy link

jaoyina commented Oct 10, 2024

大概什么时候能出补丁?

Spring 团队针对 5.3.X 大概率不会出开源版本的补丁了,目前提供的 5.3.40 是 [Enterprise Support Only] 的。

OSS 只修复了 6.1.�X 的。

目前可通过如下方式解决: 较旧、不受支持的版本的用户可以在其应用程序中启用 Spring Security 的防火墙,或者切换到使用 Tomcat 或 Jetty 作为 Web 服务器,因为它们会拒绝此类恶意请求。

FYI https://spring.io/security/cve-2024-38816

如果是用的springboot内置tomcat作为服务器的,是不是也不受影响?

@rock007
Copy link

rock007 commented Nov 1, 2024

如果是用的springboot内置tomcat作为服务器的,是不是也不受影响?

@KomachiSion KomachiSion mentioned this issue Nov 4, 2024
Closed
@KomachiSion KomachiSion removed the status/wontfix This will not be worked on label Nov 4, 2024
@KomachiSion KomachiSion reopened this Nov 4, 2024
@KomachiSion
Copy link
Collaborator

spring 应该发布了 5.8.15, 欢迎提交PR 升级对应security 版本

Bo-Qiu added a commit to Bo-Qiu/nacos that referenced this issue Nov 4, 2024
@Bo-Qiu
fix(alibaba#12686): Upgrade Spring Security version to 5.8.15.
4f4a237
@Bo-Qiu Bo-Qiu mentioned this issue Nov 4, 2024
Merged
KomachiSion pushed a commit that referenced this issue Nov 5, 2024
@Bo-Qiu
fix(#12686): Upgrade Spring Security version to 5.8.15. (#12819)
2c1a511
@KomachiSion
Copy link
Collaborator

spring-security 已经升级到5.8.15了, 可能需要查看一下兼容性, nacos不怎么依赖spring-security,理论上没什么太大影响,但是还是希望社区同学多测试一下看看。

lucky8987 pushed a commit to lucky8987/nacos that referenced this issue Nov 8, 2024
@Bo-Qiu @lucky8987
fix(alibaba#12686): Upgrade Spring Security version to 5.8.15. (aliba…
4c7247b 
…ba#12819)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
contribution welcome dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@rock007 @jaoyina @IvanWhisper @KomachiSion @Bo-Qiu @Boranget