New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2020-1948 漏洞是否影响2.6.8版本? #6362
Comments
同问该问题。 |
同问,看2.7.7有一个疑似涉及该漏洞的修改:Ignore deserilization when service/method not found #5733 |
引用漏洞发现者的话(http://rui0.cn/archives/1338): 根本问题在Hessian协议上,not found只是一个触发点,在目前的版本中,还存在一个已知触发点没有公布,大概率有更多的触发点。因此建议维持最新版,或参考https://xz.aliyun.com/t/7238,对Hessian进行加固,并保持SPI加入的黑名单最新。 最省心的方法是将RPC协议换为protobuf(官方文档里有方法),不需要关注太多安全方面的知识,但需要学习成本和服务运行成本。长远来看很值得。 |
显然是2.6.8是有问题的 这个解决了当时dubbo的http协议的安全问题 并未解决该cve |
漏洞邮件链接,摘要:
如漏洞描述,2.6.8不在受影响的范围内。但又说低于2.7.6都受影响,建议升级到2.7.7解决漏洞。
需要确认2.6.8是否受该漏洞影响,是否需要升级到2.7.7?
The text was updated successfully, but these errors were encountered: