btiÌåÓý

Ò»¡¢¡¢¡¢Åä¾°½éÉÜ

¿ËÈÕ£¬£¬£¬ÊÐίÍøÐÅ°ìÊÖÒÕÖ§³Öµ¥Î»¼à²âµ½VMware¹Ù·½Ðû²¼Ç徲ͨ¸æ£¬£¬£¬Åû¶ÁËSpring Cloud Gateway±£´æ´úÂë×¢ÈëÎó²î£¬£¬£¬Îó²î±àºÅCVE-2022-22947¡£

1.1 Îó²îÐÎò

µ±ÆôÓúÍ̻¶²»Çå¾²µÄ Gateway Actuator ¶Ëµãʱ£¬£¬£¬Ê¹Óà Spring Cloud Gateway µÄÓ¦ÓóÌÐòÈÝÒ×Êܵ½´úÂë×¢Èë¹¥»÷¡£Ô¶³Ì¹¥»÷Õß¿ÉÒÔ·¢³ö¶ñÒâÖÆ×÷µÄÇëÇ󣬣¬£¬ÀÖ³ÉʹÓøÃÎó²î¿ÉÒÔµ¼Ö´úÂëÖ´ÐС£

1.2 Îó²î±àºÅ

CVE-2022-22947

1.3 Îó²îÆ·¼¶

¸ßΣ

¶þ¡¢¡¢¡¢ÐÞ¸´½¨Òé

2.1 ÊÜÓ°Ïì°æ±¾ 

Spring Cloud Gateway < 3.1.1

Spring Cloud Gateway 3.0.0 -3.0.7

Spring Cloud Gateway ÆäËûÒѲ»ÔÙ¸üеİ汾

2.2 ÐÞ¸´½¨Òé

½â¾ö·½°¸£ºÉý¼¶µ½Çå¾²°æ±¾

Çå¾²°æ±¾£º

Spring Cloud Gateway >= 3.1.1

Spring Cloud Gateway >= 3.0.7

2.3 ÔÝʱ»º½â²½·¥

ÈôÊDz»ÐèÒªGateway actuator endpoint£¬£¬£¬¿ÉÒÔͨ¹ý management.endpoint.gateway.enabled: false ½ûÓÃËü¡£ÈôÊÇÐèÒªactuator£¬£¬£¬¿ÉÒÔʹÓà Spring Security ¶ÔÆä¾ÙÐб£»£»£»¤£¬£¬£¬Çë²ÎÔÄhttps://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html#actuator.endpoints.security¡£

¹Ù·½Í¨¸æ£ºhttps://tanzu.vmware.com/security/cve-2022-22947