修復struts嚴重漏洞:升級struts2.2到 struts2.3.1

簡單測試你的action地址:http://www.yourdomian.com/test.action?redirect:http://www.baidu.com　　是否跳轉到百度

 

修復struts嚴重漏洞:升級struts2.2到 struts2.3.1

 

須要升級如下包:

struts2-core-2.3.15.1.jar

struts2-spring-plugin-2.3.15.1.jar

xwork-core-2.3.15.1.jar

commons-lang3-3.1.jar

ognl-3.0.6.jar

 

==================================升級錯誤記錄=====================================

啓動報如下錯誤:

2013-7-19 12:15:26 org.apache.catalina.core.StandardContext startInternal

嚴重: Error filterStart

2013-7-19 12:15:26 org.apache.catalina.core.StandardContext startInternal

嚴重: Context [] startup failed due to previous errors

2013-7-19 12:15:26 org.apache.catalina.loader.WebappClassLoader clearReferencesJdbc

嚴重: The web application [] registered the JDBC driver [com.mysql.jdbc.Driver] but failed to unregister it when the web application was stopped. To prevent 

 

a memory leak, the JDBC Driver has been forcibly unregistered.

2013-7-19 12:15:26 org.apache.catalina.loader.WebappClassLoader clearReferencesThreads

嚴重: The web application [] appears to have started a thread named [Xmemcached-Reactor-0] but has failed to stop it. This is very likely to create a memory 

 

leak.

2013-7-19 12:15:26 org.apache.catalina.loader.WebappClassLoader clearReferencesThreads

嚴重: The web application [] appears to have started a thread named [Xmemcached-Reactor-1] but has failed to stop it. This is very likely to create a memory 

 

leak.

2013-7-19 12:15:26 org.apache.catalina.loader.WebappClassLoader clearReferencesThreads

嚴重: The web application [] appears to have started a thread named [Xmemcached-Reactor-2] but has failed to stop it. This is very likely to create a memory 

 

leak.

2013-7-19 12:15:26 org.apache.catalina.loader.WebappClassLoader clearReferencesThreads

嚴重: The web application [] appears to have started a thread named [Xmemcached-Reactor-3] but has failed to stop it. This is very likely to create a memory 

 

leak.

2013-7-19 12:15:26 org.apache.catalina.loader.WebappClassLoader clearReferencesThreads

嚴重: The web application [] appears to have started a thread named [Heal-Session-Thread] but has failed to stop it. This is very likely to create a memory 

 

leak.

2013-7-19 12:15:26 org.apache.catalina.loader.WebappClassLoader clearReferencesThreads

嚴重: The web application [] appears to have started a thread named [MySQL Statement Cancellation Timer] but has failed to stop it. This is very likely to 

 

create a memory leak.

2013-7-19 12:15:26 org.apache.catalina.loader.WebappClassLoader clearReferencesThreads

嚴重: The web application [] appears to have started a thread named [startQuartz_Worker-1] but has failed to stop it. This is very likely to create a memory 

 

leak.

 

....

 

實際的錯誤在:tomcat/logs/localhost.2013-07-19.log 文件中去查看

嚴重: Exception starting filter struts2

java.lang.NoClassDefFoundError: org/apache/commons/lang3/StringUtils

at com.opensymphony.xwork2.config.providers.XmlConfigurationProvider.register(XmlConfigurationProvider.java:211)

at org.apache.struts2.config.StrutsXmlConfigurationProvider.register(StrutsXmlConfigurationProvider.java:102)

at com.opensymphony.xwork2.config.impl.DefaultConfiguration.reloadContainer(DefaultConfiguration.java:226)

at com.opensymphony.xwork2.config.ConfigurationManager.getConfiguration(ConfigurationManager.java:67)

at org.apache.struts2.dispatcher.Dispatcher.init_PreloadConfiguration(Dispatcher.java:446)

 

解決:更新comons-lang 到 commons-lang3-3.1版本

 

 

嚴重: Exception starting filter struts2

java.lang.NoSuchMethodError: ognl.SimpleNode.isEvalChain(Lognl/OgnlContext;)Z

at com.opensymphony.xwork2.ognl.OgnlUtil.isEvalExpression(OgnlUtil.java:245)

at com.opensymphony.xwork2.ognl.OgnlUtil.compile(OgnlUtil.java:275)

at com.opensymphony.xwork2.ognl.OgnlUtil.setValue(OgnlUtil.java:230)

at com.opensymphony.xwork2.ognl.OgnlUtil.setValue(OgnlUtil.java:226)

at com.opensymphony.xwork2.ognl.OgnlUtil.internalSetProperty(OgnlUtil.java:459)

at com.opensymphony.xwork2.ognl.OgnlUtil.setProperties(OgnlUtil.java:118)

at com.opensymphony.xwork2.ognl.OgnlUtil.setProperties(OgnlUtil.java:145)

at com.opensymphony.xwork2.ognl.OgnlUtil.setProperties(OgnlUtil.java:132)

at com.opensymphony.xwork2.ognl.OgnlReflectionProvider.setProperties(OgnlReflectionProvider.java:58)

 

解決:更新ognl 到 ognl-3.0.6版本

 

 

升級之後:再次請求你的測試地址：http://www.yourdomian.com/test.action?redirect:http://www.baidu.com

 

tomcat服務器端打印:

升級過濾器: http://struts.apache.org/development/2.x/docs/webxml.html