Spring Cloud Config Server ËÁÒâÎļþ¶ÁÈ¡·ì϶°²È«¹«¸æ

°ä²¼¹¦·ò 2019-04-18

·ì϶±àºÅºÍ¼¶±ð


CVE±àºÅ£ºCVE-2019-3799£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨


Ó°Ïì°æ±¾


Spring Cloud Config 2.1.0 to 2.1.1

Spring Cloud Config 2.0.0 to 2.0.3

Spring Cloud Config 1.4.0 to 1.4.5

ÆäËû²»ÊÜÖ§³ÖµÄÀÏ°æ±¾ £¨ÈçSpring Cloud Config1.3¼°ÆäÒÔÏ°汾£©

ÖµÍ×ÌùÐĵÄÊÇͨ¹ýmaven×Ô¶¯¹¹½¨µÄÀûÓã¬ÈôÊDz»Ö¸¶¨spring-cloud-config-serverµÄ°æ±¾£¬Ä¬ÈÏ×°ÖõĻ¹ÊÇspring-cloud-config-server 1.3.0²»°²È«°æ±¾


·ì϶¸ÅÊö


Spring Cloud ConfigÒ»Ì׿ªÔ´É¢²¼Ê½ÏµÍ³ÅäÖ÷þÎñ£¬ÎªÉ¢²¼Ê½»·¾³Ìṩ±í²¿ÅäÖ÷þÎñÖ§³Ö¡£Spring Cloud Config Server õ辶´©Ô½ÓëËÁÒâÎļþ¶ÁÈ¡·ì϶£¬¿Éͨ¹ý»ú¹ØµÄ¶ñÒâÒªÇóÖ±½Ó¶ÁÈ¡·þÎñÆ÷ËÁÒâÎļþ£¬·çÏսϴó¡£


·ì϶ÑéÖ¤


»·¾³´î½¨£º https://github.com/spring-cloud/spring-cloud-config#quick-start

GET /foo/default/master/..%252F..%252F..%252F..%252Fetc%252fpasswd HTTP/1.1

Host: localhost:8888


GA»Æ½ð¼×¡¤(ÖйúÇø)¹Ù·½ÍøÕ¾



Spring Cloud ConfigÏîÄ¿ÊÇÒ»¸ö½â¾öÉ¢²¼Ê½ÏµÍ³µÄÅäÖÃÖÎÀí¹æ»®¡£ËüÔ̺¬ÁËClientºÍServerÁ½¸ö²¿ÃÅ£¬serverÌṩÅäÖÃÎļþµÄ´æ´¢¡¢ÒԽӿڵĴó¾Ö½«ÅäÖÃÎļþµÄÄÚÈÝÌṩ³öÈ¥£¬clientͨ¹ý½Ó¿Ú»ñÈ¡Êý¾Ý¡¢²¢Æ¾¾Ý´ËÊý¾Ý³õʼ»¯×Ô¼ºµÄÀûÓá£Spring cloudʹÓÃgit»òsvn´æ·ÅÅäÖÃÎļþ£¬Ä¬ÈÏÇé¿öÏÂʹÓÃgit¡£


»·¾³´î½¨£º


Pom.xml ÅäÖÃÒÀÀµ


GA»Æ½ð¼×¡¤(ÖйúÇø)¹Ù·½ÍøÕ¾


Application.yml ÉèÖÃÅäÖÃÎļþ´æ·ÅµÄÔ¶³Ì²Ö¿âµØÖ·


GA»Æ½ð¼×¡¤(ÖйúÇø)¹Ù·½ÍøÕ¾


Æô¶¯Îļþ


GA»Æ½ð¼×¡¤(ÖйúÇø)¹Ù·½ÍøÕ¾


org/springframework/cloud/config/sever/resource/ResourceController.javaÖÐÄܹ»²é¿´httpÒªÇóÌåʽΪ@RequestMapping("/{name}/{profile}/{label}/**")

nameΪӦ²Ö¿âÃû³Æ

profileΪӦÅäÖÃÎļþ»·¾³

label Ϊgit·ÖÖ§Ãû

** Ϊ¾ßÌåÎļþÃû

ÏÖʵ²âÊÔÖÐÖ»±ØÒªlabelΪ´æÔڵķÖÖ§Ãû¼´¿É£¬Í¨³£git²Ö¿â¶¼´æÔÚmaster·ÖÖ§

ËùÒÔͨÓÃpocµØַΪ£º

/test/dev/master/..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd


GA»Æ½ð¼×¡¤(ÖйúÇø)¹Ù·½ÍøÕ¾


´«Èë²ÎÊýºó »áŲÓÃthis.resourceRepository.findOne(name, profile, label, path)²¢Æ¾¾ÝÅäÖÃÎļþÖеIJֿâµØÖ·È¥×éװеĵØÖ·²¢»ñÈ¡ÎļþÄÚÈÝ¡£ÎÒÃǸúÈëµ½org.springframework.cloud.config.server.resourceµÄfindOne²½ÖèÖС£


findOne ÖÐlocationΪԶ³ÌgitµØÖ·ÏÂÔص½±¾µØµÄtmpĿ¼µØÖ·£¬¶øºóºÍÎÒÃÇ´«ÈëµÄpath×éװΪfile:/var/folders/2t/2pcjgph96ms9jltyfnm5brr40000gn/T/config-repo-1763575875528585941/..%2F..%2F..%2F..%2F..%2F..%2F.-dev.%2Fetc%2Fpasswd¡£


this.resourceLoader.getResource(path)²½ÖèΪ spring.coreÖзâ×°µÄ»ñÈ¡×ÊÔ´Îļþ²½Ö裬ĬÈϻỹԭURLdecodeµÄµØÖ·²¢Í¨¹ý ../../½«Ç°ÃæµÄtmpõ辶µØÖ·³Ôµô£¬×îÖÕ´ïµ½´©Ô½µ½ËÁÒâõ辶£¬¶ÁÈ¡ËÁÒâÎļþµÄ³ÉЧ¡£


½¨¸´½¨Òé


Spring Cloud Config 2.1.x Éý¼¶ÖÁ to 2.1.2£¬Spring Cloud Config 2.0.x uÉý¼¶ÖÁ 2.0.4£¬Spring Cloud Config 1.4.x Éý¼¶ÖÁ 1.4.6ÀÏ°æ±¾Éý¼¶µ½Ö¸¶¨µÄ°²È«°æ±¾spring-cloud-config-serverÓ¦²¿ÊðÔÚÄÚÍøÖв¢Ê¹ÓÃSpring Security½øÐÐÓû§Éí·Ý¼ø¶¨¡£


Spring SecurityÅäÖÃÖ§¹Ù·½ÎĵµSecuring Spring Cloud Config Server

https://github.com/spring-cloud/spring-cloud-config/commit/3632fc6f64e567286c42c5a2f1b8142bfde505c2


²Î¿¼Á´½Ó


https://pivotal.io/security/cve-2019-3799