Struts2 Version Vulnerability version: cve-2017-5638
Affected jar Packages: Struts 2.3.5-struts 2.3.31, struts 2.5-struts 2.5.10
Programme: Upgrade to Struts 2.3.32 or struts 2.5.10.1
Specific steps:1. Identify the vulnerabilityWhether your project uses the jar package in which the vulnerability is affected. For example: we use Struts2-core-2.3.16.jar
2. Decision Plan:In order not to affect too much, decided to upgrade to struts 2.3.32
3. DownloadStruts 2.3.32
Associated JAR PackagesLink: http://download.csdn.net/detail/u010050174/9782713 (just exposing the loophole, can not find the jar package, the official website is not open, MAVEN also did not update, almost killed, a few days found very easy to download to)
4. Replace jar packageThe Web project, under the Lib package, is replaced with the following version of the jar package.
Struts2-core-2.3.32.jarStruts2-json-plugin-2.3.32.jarXwork-core-2.3.32.jarOgnl-3.0.19.jarFreemarker-2.3.22.jarStruts2-spring-plugin-2.3.32.jarMyEclipse Delete the classpath of the original jar package, add the new jar package classpath.
5. Local Project VerificationDelete JBoss Data Work Temp folder, redeploy, start JBoss, check if the project is working, include, log in, connect to jump, and more. Perform a more complete test.
6, publish to the test server, to test team to test. Add a new jar package by stopping the JBoss server, deleting the old jar package (otherwise a version conflict may occur). JBoss Next Data Work Temp folder. Restart JBoss. The upgrade is complete.
7, Test Team Test No problem, released to the production system 8. Test team to test the production system again(because the test system and production system sometimes, the function is not exactly the same, the last time because the test system is not a problem, but the test production found that there is a function, the test is not released, good pit, the result that the function of the problem, had to work overtime to deal with the problem of that function)No problem, notify the Customer system upgrade is complete.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
