SpringBoot解决Apache Tomcat输入验证错误漏洞

慕容冲_a4b8

 关注

阅读 14

2024-07-24

Apache Tomcat中存在一个输入验证错误(也称为CVE-2024-24549)漏洞,在处理HTTP/2请求时,如果请求超过任何标头的配置限制,则在处理完所有标头之前,关联的HTTP/2流不会重置。该漏洞可能导致拒绝服务攻击,使得合法用户无法正常使用服务。攻击者可以通过构造特制的HTTP请求来触发该漏洞,从而对服务器造成严重影响。

解决方法:

升级 org.apache.tomcat.embed 依赖版本到 9.0.86。

修改pom.xml文件:

        <!-- tomcat -->
        <dependency>
            <groupId>org.apache.tomcat.embed</groupId>
            <artifactId>tomcat-embed-core</artifactId>
            <version>9.0.86</version>
        </dependency>
        <dependency>
            <groupId>org.apache.tomcat.embed</groupId>
            <artifactId>tomcat-embed-el</artifactId>
            <version>9.0.86</version>
        </dependency>
        <dependency>
            <groupId>org.apache.tomcat.embed</groupId>
            <artifactId>tomcat-embed-websocket</artifactId>
            <version>9.0.86</version>
        </dependency>
        <dependency>
            <groupId>org.apache.tomcat</groupId>
            <artifactId>tomcat-annotations-api</artifactId>
            <version>9.0.86</version>
        </dependency>

        <!-- Exclude conflicting dependencies -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-tomcat</artifactId>
            <exclusions>
                <exclusion>
                    <groupId>org.apache.tomcat.embed</groupId>
                    <artifactId>tomcat-embed-core</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>org.apache.tomcat.embed</groupId>
                    <artifactId>tomcat-embed-el</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>org.apache.tomcat.embed</groupId>
                    <artifactId>tomcat-embed-websocket</artifactId>
                </exclusion>
            </exclusions>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
            <exclusions>
                <exclusion>
                    <groupId>org.apache.tomcat.embed</groupId>
                    <artifactId>tomcat-embed-core</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>org.apache.tomcat.embed</groupId>
                    <artifactId>tomcat-embed-el</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>org.apache.tomcat.embed</groupId>
                    <artifactId>tomcat-embed-websocket</artifactId>
                </exclusion>
            </exclusions>
        </dependency>

相关推荐

Apache Tomcat 漏洞复现

九月的栩 74 0 0

【漏洞复现】Apache_Tomcat7+ 弱口令 && 后台getshell漏洞

艾晓雪 42 0 0

【Apache】漏洞

zhaoxj0217 5 0 0

apache 漏洞

Ad大成 18 0 0

Tomcat漏洞

快乐小鱼儿_9911 23 0 0

Apache Http Server安全漏洞解决

westfallon 183 0 0

关于Apache Tomcat请求走私漏洞(CVE-2023-46589)

西曲风 8 0 0

Target runtime apache tomcat v5.5 is not defined错误

Separes 72 0 0

通过升级tomcat完美解决服务器的tomcat漏洞

木匠0819 31 0 0

apache + tomcat

李雨喵 146 0 0

精彩评论(0)

0 0 举报