动态代码评估:不安全的反序列化(Spring Boot 2) - 如何避免执行器相关的强化问题，还是误报? [英] Dynamic Code Evaluation: Unsafe Deserialization (Spring Boot 2) - how to avoid actuator related fortify issue, or is it a false positive?

问题描述

我正在使用以下执行器依赖

I am using the below actuator dependency

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-actuator</artifactId>
</dependency>

使用弹簧靴 2，

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.0.5.RELEASE</version>
</parent>

对强化相关漏洞的任何评论，或者我们是否有任何理由获得关于强化问题的误报.

Any comments on the fortify related vulnerabilities, or do we have any justifications for getting a false-positive regarding fortify issue.

推荐答案

我怀疑 Fortify 提出这个问题不是因为 spring-boot-starter-actuator 本身，而是它对Jackson，其中包含一个反序列化不可信数据漏洞.但是，要使应用程序易受攻击，非默认且可能非常不寻常的情况必须是真实的.您可以在 这篇博文来自杰克逊的作者.Spring Boot 的 Actuator 不支持多态类型处理，因此如果 Fortify 警告是由于 Jackson 引起的，则为误报.

I suspect that the issue is being raised by Fortify not because of spring-boot-starter-actuator itself but its transitive dependency on Jackson which contains a deserialization of untrusted data vulnerability. However, for an application to be vulnerable a non-default, and probably quite unusual, set of circumstances have to be true. You can learn more about those circumstances in this blog post from Jackson's author. Spring Boot's Actuator does not enable polymorphic type handling so, if the Fortify warning is due to Jackson, it is a false positive.

该漏洞已在 Jackson 2.9.7 中修复，方法是阻止某些来自多态反序列化的类.Spring Boot 2.0.6 和 2.1.0 默认使用 Jackson 2.9.7.

The vulnerability has been fixed in Jackson 2.9.7 by blocking certain classes from polymorphic deserialisation. Spring Boot 2.0.6 and 2.1.0 use Jackson 2.9.7 by default.

这篇关于动态代码评估:不安全的反序列化(Spring Boot 2) - 如何避免执行器相关的强化问题，还是误报?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！