产品安全漏洞说明及方案
01_产品安全漏洞说明及解决方案
02_第三方安全漏洞说明及解决方案

# 008_XStream拒绝服务漏洞(CVE-2022-41966)

已提供补丁:PLATFORM_7.5_PTP_20230209_P1,适用于EOS7.5~7.6.6,适用于ESB

# ESB6.7 补丁PLATFORM_7.5_PTP_20230209_P1替换说明:

governor:

  • 增量替换Primeton_ESB_8.0_Governor_Windows\apache-tomcat-8.5.27\webapps\governor\WEB-INF\lib\anyware-deploy-8.0.0-20181220.095418-331.jar
  • Primeton_ESB_8.0_Governor_Windows\apache-tomcat-8.5.27\webapps\governor\WEB-INF\lib\anyware-deploy-8.0.0-SNAPSHOT.jar里DomainModel.class
  • 增量替换Primeton_ESB_8.0_Governor_Windows\apache-tomcat-8.5.27\webapps\governor\WEB-INF\lib\anyware-commons-system-8.0.0-20181220.095039-340.jar
  • Primeton_ESB_8.0_Governor_Windows\apache-tomcat-8.5.27\webapps\governor\WEB-INF\lib\anyware-commons-system-8.0.0-SNAPSHOT.jar里的SupportInfo.class
  • SecurityChannelConfig.class及SecurityChannelConfig$ConfigValueConverter.class

server:

  • 升级Primeton_ESB_8.0_Server_Windows\server\libs\xstream-1.2.2.jar
  • 增量替换Primeton_ESB_8.0_Server_Windows\server\eos_libs\anyware-deploy-8.0.0-LA1.jar里DomainModel.class;
  • 增量替换Primeton_ESB_8.0_Server_Windows\server\eos_libs\anyware-commons-system-8.0.0-LA1.jar里的SupportInfo.class、
  • SecurityChannelConfig.class及SecurityChannelConfig$ConfigValueConverter.class。

SSM: 直接升级Primeton_ESB_8.0_SSM_Windows\ssm\lib\xstream-1.4.10.jar,不涉及打补丁

# ESB8.0 补丁PLATFORM_7.5_PTP_20230209_P1替换说明:

governor:

  • 升级Primeton_ESB_8.0_Governor_Windows\apache-tomcat-8.5.27\webapps\governor\WEB-INF\lib\xstream-1.4.20.jar
  • 增量替换Primeton_ESB_8.0_Governor_Windows\apache-tomcat-8.5.27\webapps\governor\WEB-INF\lib\anyware-deploy-8.0.0-20181220.095418-331.jar
  • Primeton_ESB_8.0_Governor_Windows\apache-tomcat-8.5.27\webapps\governor\WEB-INF\lib\anyware-deploy-8.0.0-SNAPSHOT.jar里DomainModel.class
  • 增量替换 Primeton_ESB_8.0_Governor_Windows\apache-tomcat-8.5.27\webapps\governor\WEB-INF\lib\anyware-commons-system-8.0.0-20181220.095039-340.jar
  • Primeton_ESB_8.0_Governor_Windows\apache-tomcat-8.5.27\webapps\governor\WEB-INF\lib\anyware-commons-system-8.0.0-SNAPSHOT.jar里的SupportInfo.class、
  • SecurityChannelConfig.class及SecurityChannelConfig$ConfigValueConverter.class。

server:

  • 升级Primeton_ESB_8.0_Server_Windows\server\libs\xstream-1.4.20.jar
  • 增量替换Primeton_ESB_8.0_Server_Windows\server\eos_libs\anyware-deploy-8.0.0-LA1.jar里DomainModel.class
  • 增量替换Primeton_ESB_8.0_Server_Windows\server\eos_libs\anyware-commons-system-8.0.0-LA1.jar里的SupportInfo.class
  • SecurityChannelConfig.class及SecurityChannelConfig$ConfigValueConverter.class
  • SSM: 直接升级Primeton_ESB_8.0_SSM_Windows\ssm\lib\xstream-1.4.20.jar,不涉及打补丁

SAP: 如果没引用anyware-deploy-8.0.0-20181220.095418-331.ja和anyware-commons-system-8.0.0-20181220.095039-340.jar,那么同SSM,只需升级xstream。

若引入了,则替换方式同governor/server。

009_Spring框架RFD反射型文件下载漏洞CVE-2020-5421