Struts 2安全漏洞问题 [英] Struts 2 security vulnerability issue
问题描述
我们有使用Struts 2.0和2.1的项目.
We have projects using Struts 2.0 and 2.1.
我们正在将Web托管与Tomcat一起使用,并且两个项目在远程服务器上都可以正常工作.最近,我们从网络托管提供商处收到了警告消息,例如:
We're using web-hosting with Tomcat and both projects are working fine on remote servers. Recently, we got warning message from the webhosting provider, like:
此通知通知您,最近发现了许多与Struts和Struts2框架以及其他使用OGNL类的框架有关的漏洞.
This notice is inform you that recently numerous vulnerabilities have been discovered related to Struts and Struts2 frameworks and other frameworks which use OGNL classes.
由于您的应用程序使用Struts或Struts2框架,我们强烈建议您紧急将其更新为最新版本:Struts v2.3.16.1
Since your application is using Struts or Struts2 framework, we HIGHLY recommend that you URGENTLY update it to the most recent version: Struts v2.3.16.1
经过研究,我们发现存在持续的升级: http://struts.apache.org/announce.html
After research, we found there're consistent upgrades: http://struts.apache.org/announce.html
因此,我们尝试将Struts2升级到2.3.16.3(当前最新版本).但是,我们发现升级Struts2并不是一件容易的事,因为一切都无法正常工作,包括AJAX标签,AJX表单提交,自动完成等.从这个意义上讲,Struts 2并不是为可伸缩性而精心设计的.
Therefore, we tried to upgrade our Struts2 to 2.3.16.3 (latest version at present). However, we found it's not a trivial task to upgrade Struts2, since everything doesn't work, including AJAX tags, AJX form submit, auto-complete, etc. In this sense, Struts 2 is not well designed for scalability.
一个例子是,每当我们提交AJAX表单时,结果都将显示在新页面中,而不是sx:submit或sj:submit标记中定义的targets字段中.我们不想仅仅因为升级而重写所有代码.
One example is that whenever we submit our AJAX form, the result will be in a new page instead of in the targets field defined in the sx:submit or sj:submit tag. We don't want to re-write all the codes just because of the upgrade.
我们想知道是否不将Struts2升级到最新版本,我们的Web应用程序将面临什么样的漏洞.有人可以根据我们的情况为我们提供更多详细信息或任何解决方案的提示吗?非常感谢.
We want to know if we don't upgrade Struts2 to the latest version, what kind of vulnerabilities our web application will face. Could anyone give us more details or any hint for solutions based on our situation? Thanks so much.
推荐答案
You are probably looking for Security Bulletins. Each documents describe the summary, problem, and solution to resolve the problem. At the end of each document you can find hotfixes if they are available.
这篇关于Struts 2安全漏洞问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
