Struts升級到2.3.15.1抵抗漏洞

後知後覺，今天才開始修復Struts2的漏洞

詳細情形能夠參考：

http://struts.apache.org/release/2.3.x/docs/security-bulletins.html

 

 

本次的升級是把struts2.3.1.2升級到2.3.15.1

所有更新：

​

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40

兩個版本相同的： aopalliance- 1.0 .jar asm-commons- 3.3 .jar asm-tree- 3.3 .jar commons-logging-api- 1.1 .jar ezmorph- 1.0 . 6 .jar guava-r09.jar stax2-api- 3.1 . 1 .jar xml-resolver- 1.2 .jar    替換(**爲補丁須要替換的)： asm- 3.3 .jar -> asm- 3.2 .jar ** commons-fileupload- 1.3 .jar -> commons-fileupload- 1.2 . 2 .jar commons-io- 2.0 . 1 .jar -> commons-io- 1.4 .jar ** add  commons-lang3- 3.1 .jar   commons-logging- 1.1 . 3 .jar -> commons-logging- 1.1 . 1 .jar cxf-api- 2.7 . 4 .jar -> cxf-api- 2.5 . 0 .jar cxf-rt-bindings-soap- 2.7 . 4 .jar -> cxf-rt-bindings-soap- 2.5 . 0 .jar cxf-rt-bindings-xml- 2.7 . 4 .jar -> cxf-rt-bindings-xml- 2.5 . 0 .jar cxf-rt-core- 2.7 . 4 .jar -> cxf-rt-core- 2.5 . 0 .jar cxf-rt-databinding-jaxb- 2.7 . 4 .jar -> cxf-rt-databinding-jaxb- 2.5 . 0 .jar cxf-rt-frontend-jaxws- 2.7 . 4 .jar -> cxf-rt-frontend-jaxws- 2.5 . 0 .jar cxf-rt-frontend-simple- 2.7 . 4 .jar -> cxf-rt-frontend-simple- 2.5 . 0 .jar cxf-rt-transports-http- 2.7 . 4 .jar -> cxf-rt-transports-http- 2.5 . 0 .jar cxf-rt-ws-addr- 2.7 . 4 .jar -> cxf-rt-ws-addr- 2.5 . 0 .jar freemarker- 2.3 . 19 .jar -> freemarker- 2.3 . 16 .jar jackson-core-asl- 1.9 . 2 .jar -> jackson-core-asl- 1.6 . 0 .jar jackson-mapper-asl- 1.9 . 2 .jar -> jackson-mapper-asl- 1.6 . 0 .jar    neethi- 3.0 . 2 .jar -> neethi- 3.0 . 1 .jar ** ognl- 3.0 . 6 .jar -> ognl- 3.0 . 4 .jar ** struts2-convention-plugin- 2.3 . 15.1 .jar -> struts2-convention-plugin- 2.3 . 1.2 .jar ** struts2-core- 2.3 . 15.1 .jar -> struts2-core- 2.3 . 1.2 .jar    ** struts2-jfreechart-plugin- 2.3 . 1.2 .jar -> struts2-jfreechart-plugin- 2.3 . 15.1 .jar ** struts2-spring-plugin- 2.3 . 1.2 .jar -> struts2-spring-plugin- 2.3 . 15.1 .jar woodstox-core-asl- 4.2 . 0 .jar -> woodstox-core-asl- 4.1 . 1 .jar wsdl4j- 1.6 . 3 .jar -> wsdl4j- 1.6 . 2 .jar xmlschema-core- 2.0 . 3 .jar -> xmlschema-core- 2.0 . 1 .jar ** xwork-core- 2.3 . 15.1 .jar -> xwork-core- 2.3 . 1.2 .jar

 

若是隻針對修復漏洞，只須要更新

1 2 3 4 5 6 7 8 9 10

替換 ** commons-fileupload- 1.3 .jar -> commons-fileupload- 1.2 . 2 .jar ** ognl- 3.0 . 6 .jar -> ognl- 3.0 . 4 .jar ** struts2-convention-plugin- 2.3 . 15.1 .jar -> struts2-convention-plugin- 2.3 . 1.2 .jar ** struts2-core- 2.3 . 15.1 .jar -> struts2-core- 2.3 . 1.2 .jar ** struts2-jfreechart-plugin- 2.3 . 1.2 .jar -> struts2-jfreechart-plugin- 2.3 . 15.1 .jar ** struts2-spring-plugin- 2.3 . 1.2 .jar -> struts2-spring-plugin- 2.3 . 15.1 .jar ** xwork-core- 2.3 . 15.1 .jar -> xwork-core- 2.3 . 1.2 .jar 增長 ** add  commons-lang3- 3.1 .jar

若是web.xml引用到

 ActionContextCleanUp，還會噁心的報這個Warning!!!!!!!

1 2 3 4 5 6 7 8 9 10 11

*************************************************************************** *                                 WARNING!!!                              * *                                                                         * * >>> ActionContextCleanUp <<< is deprecated! Please use the new filters! * *                                                                         * *             This can be a source of unpredictable problems!             * *                                                                         * *                Please refer to the docs for more details!               * *              http: //struts.apache.org/2.x/docs/webxml.html              * *                                                                         * ***************************************************************************

爲了清淨咱們的耳目，只能把ActionContextCleanUp的配置清除掉

 

1 2 3 4

< filter >   < filter-name >struts2CleanupFilter</ filter-name >    < filter-class >org.apache.struts2.dispatcher.ActionContextCleanUp</ filter-class > </ filter >

能夠替換成另外的實現

1 2 3 4

< filter >     < filter-name >StrutsPrepareFilter</ filter-name >     < filter-class >org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFilter</ filter-class > </ filter >

 

 DONE！

來自爲知筆記(Wiz)