Problem Description
The old version of Nacos found a raft vulnerability, and directly upgraded to the latest version 2.2.3 to solve the problem.
upgrade steps
1. Modify pom
- path:
jeecg-server-cloud/jeecg-cloud-nacos/pom.xml - At present, the new dependency has not been uploaded to the maven official warehouse, please configure the jeecg private server
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>jeecg-cloud-nacos</artifactId>
<name>jeecg-cloud-nacos</name>
<description>nacos启动模块</description>
<version>3.5.2</version>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.6.14</version>
<relativePath/>
</parent>
<repositories>
<repository>
<id>aliyun</id>
<name>aliyun Repository</name>
<url>https://maven.aliyun.com/repository/public</url>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
<repository>
<id>jeecg</id>
<name>jeecg Repository</name>
<url>https://maven.jeecg.org/nexus/content/repositories/jeecg</url>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
</repositories>
<properties>
<log4j2.version>2.17.0</log4j2.version>
</properties>
<dependencies>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-jasper</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.jeecgframework.nacos</groupId>
<artifactId>nacos-naming</artifactId>
<version>2.2.3</version>
</dependency>
<dependency>
<groupId>org.jeecgframework.nacos</groupId>
<artifactId>nacos-istio</artifactId>
<version>2.2.3</version>
</dependency>
<dependency>
<groupId>org.jeecgframework.nacos</groupId>
<artifactId>nacos-config</artifactId>
<version>2.2.3</version>
</dependency>
<dependency>
<groupId>org.jeecgframework.nacos</groupId>
<artifactId>nacos-console</artifactId>
<version>2.2.3</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
2. Upgrade the Nacos database and execute the upgrade script
ALTER TABLE config_info ADD encrypted_data_key varchar(255) DEFAULT NULL COMMENT '加密key';
ALTER TABLE his_config_info ADD encrypted_data_key varchar(255) DEFAULT NULL COMMENT '加密key';
ALTER TABLE config_info_beta ADD encrypted_data_key varchar(255) DEFAULT NULL COMMENT '加密key';
ALTER TABLE config_info_tag ADD encrypted_data_key varchar(255) DEFAULT NULL COMMENT '加密key';
3. Start the Nacos project to complete the upgrade
The upgrade is complete, it's that simple.
4. Vulnerability Description
1. Specific instructions
Nacos is an easy-to-use dynamic service discovery, configuration and service management platform for building cloud-native applications.
Recently, Nacos released an updated version to fix a deserialization vulnerability. Because the Nacos cluster does not restrict the use of hessian for deserialization when processing some Jraft requests, it may lead to remote code execution. However, this vulnerability only affects port 7848 (under the default setting). Generally, this port is the communication port of the Raft protocol between Nacos clusters and does not carry client requests. Therefore, it can be mitigated by prohibiting requests from outside the Nacos cluster on this port.
At present, the vulnerability has been fixed, and affected users can update to Nacos version 1.4.6 or 2.2.3.
2. Scope of influence
1.4.0<=Nacos version<1.4.6
2.0.0<=Nacos version<2.2.3
3. Reference blog
- http://net.jstu.edu.cn/2023/0612/c2331a165901/page.htm
- http://www.hackdig.com/06/hack-1004954.htm
- https://blog.csdn.net/qq12547345/article/details/131183159
- https://blog.csdn.net/weiyangdong/article/details/131440830