修复struts严重漏洞:升级struts2.2到 struts2.3.1
为什么要修复请看新闻:http://www.iteye.com/news/28053
简单测试你的action地址:http://www.yourdomian.com/test.action?redirect:http://www.baidu.com 是否跳转到百度
修复struts严重漏洞:升级struts2.2到 struts2.3.1
需要升级以下包:
struts2-core-2.3.15.1.jar
struts2-spring-plugin-2.3.15.1.jar
xwork-core-2.3.15.1.jar
commons-lang3-3.1.jar
ognl-3.0.6.jar
==================================升级错误记录=====================================
启动报以下错误:
2013-7-19 12:15:26 org.apache.catalina.core.StandardContext startInternal
严重: Error filterStart
2013-7-19 12:15:26 org.apache.catalina.core.StandardContext startInternal
严重: Context [] startup failed due to previous errors
2013-7-19 12:15:26 org.apache.catalina.loader.WebappClassLoader clearReferencesJdbc
严重: The web application [] registered the JDBC driver [com.mysql.jdbc.Driver] but failed to unregister it when the web application was stopped. To prevent
a memory leak, the JDBC Driver has been forcibly unregistered.
2013-7-19 12:15:26 org.apache.catalina.loader.WebappClassLoader clearReferencesThreads
严重: The web application [] appears to have started a thread named [Xmemcached-Reactor-0] but has failed to stop it. This is very likely to create a memory
leak.
2013-7-19 12:15:26 org.apache.catalina.loader.WebappClassLoader clearReferencesThreads
严重: The web application [] appears to have started a thread named [Xmemcached-Reactor-1] but has failed to stop it. This is very likely to create a memory
leak.
2013-7-19 12:15:26 org.apache.catalina.loader.WebappClassLoader clearReferencesThreads
严重: The web application [] appears to have started a thread named [Xmemcached-Reactor-2] but has failed to stop it. This is very likely to create a memory
leak.
2013-7-19 12:15:26 org.apache.catalina.loader.WebappClassLoader clearReferencesThreads
严重: The web application [] appears to have started a thread named [Xmemcached-Reactor-3] but has failed to stop it. This is very likely to create a memory
leak.
2013-7-19 12:15:26 org.apache.catalina.loader.WebappClassLoader clearReferencesThreads
严重: The web application [] appears to have started a thread named [Heal-Session-Thread] but has failed to stop it. This is very likely to create a memory
leak.
2013-7-19 12:15:26 org.apache.catalina.loader.WebappClassLoader clearReferencesThreads
严重: The web application [] appears to have started a thread named [MySQL Statement Cancellation Timer] but has failed to stop it. This is very likely to
create a memory leak.
2013-7-19 12:15:26 org.apache.catalina.loader.WebappClassLoader clearReferencesThreads
严重: The web application [] appears to have started a thread named [startQuartz_Worker-1] but has failed to stop it. This is very likely to create a memory
leak.
....
实际的错误在:tomcat/logs/localhost.2013-07-19.log 文件中去查看
严重: Exception starting filter struts2
java.lang.NoClassDefFoundError: org/apache/commons/lang3/StringUtils
at com.opensymphony.xwork2.config.providers.XmlConfigurationProvider.register(XmlConfigurationProvider.java:211)
at org.apache.struts2.config.StrutsXmlConfigurationProvider.register(StrutsXmlConfigurationProvider.java:102)
at com.opensymphony.xwork2.config.impl.DefaultConfiguration.reloadContainer(DefaultConfiguration.java:226)
at com.opensymphony.xwork2.config.ConfigurationManager.getConfiguration(ConfigurationManager.java:67)
at org.apache.struts2.dispatcher.Dispatcher.init_PreloadConfiguration(Dispatcher.java:446)
解决:更新comons-lang 到 commons-lang3-3.1版本
严重: Exception starting filter struts2
java.lang.NoSuchMethodError: ognl.SimpleNode.isEvalChain(Lognl/OgnlContext;)Z
at com.opensymphony.xwork2.ognl.OgnlUtil.isEvalExpression(OgnlUtil.java:245)
at com.opensymphony.xwork2.ognl.OgnlUtil.compile(OgnlUtil.java:275)
at com.opensymphony.xwork2.ognl.OgnlUtil.setValue(OgnlUtil.java:230)
at com.opensymphony.xwork2.ognl.OgnlUtil.setValue(OgnlUtil.java:226)
at com.opensymphony.xwork2.ognl.OgnlUtil.internalSetProperty(OgnlUtil.java:459)
at com.opensymphony.xwork2.ognl.OgnlUtil.setProperties(OgnlUtil.java:118)
at com.opensymphony.xwork2.ognl.OgnlUtil.setProperties(OgnlUtil.java:145)
at com.opensymphony.xwork2.ognl.OgnlUtil.setProperties(OgnlUtil.java:132)
at com.opensymphony.xwork2.ognl.OgnlReflectionProvider.setProperties(OgnlReflectionProvider.java:58)
解决:更新ognl 到 ognl-3.0.6版本
升级以后:再次请求你的测试地址:http://www.yourdomian.com/test.action?redirect:http://www.baidu.com
tomcat服务器端打印:
升级过滤器: http://struts.apache.org/development/2.x/docs/webxml.html