在 Spring Boot Actuator 2.1.6 上强化动态代码评估不安全反序列化 [英] Forttify dynamic-code-evaluation-unsafe-deserialization on Spring Boot Actuator 2.1.6

问题描述

我遇到了与 问题，唯一的答案是将spring-boot版本升级到2.0.6.但是，我目前使用的是 2.1.6.RELEASE 版本，并且报告中仍然存在相同的漏洞.

I have the same problem as in the question, the only answer is to upgrade the spring-boot version to 2.0.6. However, I currently have version 2.1.6.RELEASE and I still have the same vulnerability in the report.

推荐答案

您的扫描报告应该包含问题的摘要、解释和建议.(这里有几个链接可以帮助您生成报告 - 强化文件 (.fpr 文件)到 PDF 转换，如何生成包含所有问题的报告?)

Your scan report should have an abstract, explanation, and recommendation for the issue. (Here are a few links to help you generate the report - Fortify file (.fpr file) to PDF convertion, How do I generate a report that has all the issues?)

简而言之，这个问题是因为 SpringBoot Actuator 默认暴露了 JMX 管理端点.JMX 使用 Java 序列化来发送/接收消息，能够连接到 Actuator JMX 端点并对其进行身份验证的攻击者将能够发送恶意 Java 序列化负载，该负载可以在 JMX 端点反序列化后运行任意代码.

In short, this issue is because SpringBoot Actuator exposes JMX management endpoints by default. JMX uses Java serialization to send/receive messages, an attacker that is able to connect and authenticate to the Actuator JMX endpoints will be able to send a malicious Java serialization payload which may run arbitrary code upon deserialization by the JMX endpoint.

修复:可以通过添加以下属性禁用 SpringBoot Actuator JMX 端点到 application.properties 文件:

Fix: SpringBoot Actuator JMX endpoints may be disabled by adding the following properties to the application.properties file:

endpoints.jmx.enabled=false
management.endpoints.jmx.exposure.exclude=*

注意:endpoints.jmx.enabled=false 已弃用

Note: endpoints.jmx.enabled=false is deprecated

在 MicroFocus

这篇关于在 Spring Boot Actuator 2.1.6 上强化动态代码评估不安全反序列化的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！