产品安全漏洞说明及方案
01_产品安全漏洞说明及解决方案
02_第三方安全漏洞说明及解决方案

# 009_Spring框架RFD反射型文件下载漏洞CVE-2020-5421

已提供补丁:3RD_SECURITY_20200925_C1,适用于Platform7.6.5、ESB

# ESB6.7 补丁3RD_SECURITY_20200925_C1替换说明:

  1. 停止ESBServer、governor、SSM;

  2. 备份: {ESB67 Governor安装目录}/apache-tomcat-8.5.27/webapps/governor/WEB-INF/lib/eos-server-spring-8.0.0-20181220.095802-311.jar、eos-server-spring-8.0.0-SNAPSHOT.jar、eos-server-sca-spring-8.0.0-20181220.095834-312.jar、eos-server-sca-spring-8.0.0-SNAPSHOT.jar、 spring-aop-4.3.29.RELEASE.jar、spring-aspects-4.3.29.RELEASE.jar、spring-beans-4.3.29.RELEASE.jar、spring-context-4.3.29.RELEASE.jar、spring-core-4.3.29.RELEASE.jar、spring-expression-4.3.29.RELEASE.jar、spring-jdbc-4.3.29.RELEASE.jar、spring-jms-4.3.29.RELEASE.jar、spring-messaging-4.3.29.RELEASE.jar、spring-tx-4.3.29.RELEASE.jar、spring-web-4.3.29.RELEASE.jar、spring-webmvc-4.3.29.RELEASE.jar {ESB67 Server安装目录}/server/eos_libs/eos-server-spring-8.0.0-LA1.jar; {ESB67 Server安装目录}/server/libs/spring-aop-4.3.29.RELEASE.jar、spring-aspects-4.3.29.RELEASE.jar、spring-beans-4.3.29.RELEASE.jar、spring-context-4.3.29.RELEASE.jar、spring-core-4.3.29.RELEASE.jar、spring-expression-4.3.29.RELEASE.jar、spring-jdbc-4.3.29.RELEASE.jar、spring-jms-4.3.29.RELEASE.jar、spring-messaging-4.3.29.RELEASE.jar、spring-tx-4.3.29.RELEASE.jar、spring-web-4.3.29.RELEASE.jar、spring-webmvc-4.3.29.RELEASE.jar {ESB67 SSM安装目录}/ssm/lib/spring-aop-4.3.29.RELEASE.jar、spring-aspects-4.3.29.RELEASE.jar、spring-beans-4.3.29.RELEASE.jar、spring-context-4.3.29.RELEASE.jar、spring-core-4.3.29.RELEASE.jar、spring-expression-4.3.29.RELEASE.jar、spring-jdbc-4.3.29.RELEASE.jar、spring-jms-4.3.29.RELEASE.jar、spring-messaging-4.3.29.RELEASE.jar、spring-tx-4.3.29.RELEASE.jar、spring-web-4.3.29.RELEASE.jar、spring-webmvc-4.3.29.RELEASE.jar

  3. 使用补丁附件中eos-server-sca-7.1.4.0-patch.jar、eos-server-spring-7.1.4.0-patch.jar增量替换{ESB67 Governor安装目录}/apache-tomcat-8.5.27/webapps/governor/WEB-INF/lib/eos-server-spring-8.0.0-20181220.095802-311.jar、eos-server-spring-8.0.0-SNAPSHOT.jar、eos-server-sca-spring-8.0.0-20181220.095834-312.jar、eos-server-sca-spring-8.0.0-SNAPSHOT.jar、{ESB67 Server安装目录}/server/eos_libs/eos-server-spring-8.0.0-LA1.jar中的同名class文件; 将补丁中jars/spring 4.3.29.RELEASE/下的jar替换到{ESB67 Server安装目录}/server/libs/、{ESB67 Governor安装目录}/apache-tomcat-8.5.27/webapps/governor/WEB-INF/lib、{ESB67 SSM安装目录}/ssm/lib下;

  4. 重启ESBServer、governor、SSM。

010_nacos1.2.1权限绕过漏洞及未授权访问漏洞(CVE-2021-29441)解决方案