Article directory
How to upgrade the embedded tomcat version in Spring Boot
1. Background
According to the Tomcat-AJP protocol vulnerability risk warning issued by the information security operation team, there is a high-risk vulnerability in Tomcat's AJP protocol (default port 8009). Due to the implementation defect, the relevant parameters are controllable. Attackers can use this vulnerability to construct specific parameters and read Any file under the server webapp. If there is a file upload function on the server side at the same time, the attacker can further implement remote code execution. Vulnerability CVE number: CVE-2020-1938, the risk level of this vulnerability is high. The attachment is the system involved in the development and production of the whole bank. Please confirm as soon as possible whether the AJP protocol is used and repair it according to the temporary plan.
The repair scheme is as follows:
1. The AJP protocol scheme is not used: directly close the AJP protocol
(1) Edit <CATALINA_BASE>/conf/server.xml and find the following line (<CATALINA_BASE> is the working directory of Tomcat):
<Connector port="8009 ”protocol="AJP/1.3" redirectPort="8443" />
(2) Comment out this line (you can also delete this line):
<!—<Connectorport="8009" protocol="AJP/1.3" redirectPort= "8443" />—>
(3) After saving, it needs to be restarted for the rules to take effect.
(4) After restarting, execute netstat -an|grep 8009 to check that port 8009 is no longer in the listening state
2. Use AJP protocol: It is recommended to upgrade Tomcat to version 9.0.31, 8.5.51 or 7.0.100 immediately for repair
Although our product uses the embedded tomcat, it only uses the http protocol, and the AJP protocol is not used, and the AJP protocol has been closed. However, in view of the high security awareness of customers, they do not agree with this, and are strongly required to upgrade the tomcat version. So I started to step on the pit of upgrading the embedded tomcat.
2. Process
2.1 Upgrade the tomcat version of a single-module project
Wrote a demo test embedded tomcat version, it is easy to upgrade. Write the version of tomcat that you want to upgrade in the pom file, package it out, and depend on the version corresponding to tomcat.
<properties>
<tomcat.version>8.5.51</tomcat.version>
</properties>
However, this upgrade requires that the parent project in the pom is org.springframework.boot, which is similar to inheriting the parent class in object-oriented, and rewriting the corresponding method of the parent class. Do you understand the meaning? That is to say, there are similar annotations as follows in the pom, otherwise it will not be effective to directly write the tomcat version upgrade.
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.0.8.RELEASE</version>
</parent>
2.2 Upgrading a project with multiple modules
To upgrade the tomcat version of a multi-module project, the sub-module depends on tomcat, but the parent project of the sub-module cannot be org.springframework.boot, but the corresponding parent module of the project. At this time, the first method is invalid. Then we are rude, first remove the tomcat dependency, and then introduce the corresponding version of the tomcat version. Because the tomcat-related dependencies are under the spring-boot-starter-web dependency module, first remove the tomcat dependencies contained in it, and then introduce the corresponding tomcat version, as follows:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-core</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-el</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-websocket</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-annotations-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-core</artifactId>
<version>${tomcat.version}</version>
<exclusions>
<exclusion>
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-annotations-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-annotations-api</artifactId>
<version>${tomcat.version}</version>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-el</artifactId>
<version>${tomcat.version}</version>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-websocket</artifactId>
<version>${tomcat.version}</version>
<exclusions>
<exclusion>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-core</artifactId>
</exclusion>
</exclusions>
</dependency>
3. How to upgrade the project with packaged submodules
If you package your own submodule, the above will fail. The specific reason is not clear, but it is also easy to solve: copy and paste the dependencies of the above 2 steps into the pom file of the packaged submodule, and you are done.
end
It is relatively simple to sum up now, but stepping on the pit a while ago was also very painful. The upgrade has not taken effect all the time, I can only try various things, and finally solved it before the project is released, cheers!