手动升级spring的依赖,或者使用最新版bladex,bladex最新版为6.1.5,采用的版本已经不存在这个漏洞了
低版本Spring升级参考如下配置:
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<!-- 项目基本信息等其他元素... -->
<dependencyManagement>
<dependencies>
<!-- Spring Framework BOM -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>5.3.32</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<!-- 其他依赖管理项 -->
</dependencies>
</dependencyManagement>
<!-- 实际的依赖声明... -->
</project>blade 版本
2.9.1.RELEASE
spring boot 版本2.3.12.RELEASE
spring-web-5.2.15.RELEASE.jar
想替换spring-web 相关版本到6.1.6
想知道具体操作方法和可行性
只建议更新到5.3.32,如果要6.x,需要全体工程大改。
如果更新到5.3.32版本,具体需要怎么操作?
项目根目录pom.xml配置Spring的版本,强制覆盖就行了
升级spring版本到5.3.32后 无法调用获取验证码接口
检查AbstractReadWniteJackson2HttpMessaqeConventer,检查相关工具类是不是版本需要升级
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'taskExecutorBuilder' defined in class path resource [org/springframework/boot/autoconfigure/task/TaskExecutionAutoConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.boot.task.TaskExecutorBuilder]: Factory method 'taskExecutorBuilder' threw exception; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'taskExecutorCustomizer' defined in class path resource [org/springblade/core/boot/config/BladeExecutorConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.boot.task.TaskExecutorCustomizer]: Illegal arguments to factory method 'taskExecutorCustomizer'; args: ; nested exception is java.lang.IllegalArgumentException: object is not an instance of declaring class
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.boot.task.TaskExecutorBuilder]: Factory method 'taskExecutorBuilder' threw exception; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'taskExecutorCustomizer' defined in class path resource [org/springblade/core/boot/config/BladeExecutorConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.boot.task.TaskExecutorCustomizer]: Illegal arguments to factory method 'taskExecutorCustomizer'; args: ; nested exception is java.lang.IllegalArgumentException: object is not an instance of declaring class
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'taskExecutorCustomizer' defined in class path resource [org/springblade/core/boot/config/BladeExecutorConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.boot.task.TaskExecutorCustomizer]: Illegal arguments to factory method 'taskExecutorCustomizer'; args: ; nested exception is java.lang.IllegalArgumentException: object is not an instance of declaring class
spring-boot-2.3.12.RELEASE
spring-web 5.3.32
启动项目报错,想以最小的改动,解决springweb版本异常问题
我查了下,bladex 2.9.1 依赖的spring版本为5.2.15,不在这个漏洞范围内,所以你都不需要修复了。
另外关于框架本身的安全部署问题,推荐看下这个文档:https://center.javablade.com/blade/BladeX-Safety
把一些安全隐患解决,基本就不会受其他漏洞影响了,因为第一层token认证都过不去的。
问题:漏洞是阿里云扫描出来的,且定位是这个版本的问题。
障碍:目前分析,如果修复的话只能提升版本,但是强制更新后初步定位是与springboot版本不兼容,导致项目无法启动
期望:想以最小的代价把这个漏洞避免掉,是否有比较高效的方法?
只能升级spring的版本,然后每个进行依赖适配。注意bladex-tool的版本也需要修改,修改后适配完工具类的依赖问题。然后执行mvn clean install安装。接着再修改bladex的依赖,最后解决spring相关升级版本的问题。
如果解决不了可以找我们官方进行有偿定制升级,联系邮箱 bladejava@qq.com
扫一扫访问 Blade技术社区 移动端
加载中...
苏公网安备 32041102000998号