修复struts严重漏洞:升级struts2.2到 struts2.3.1

为什么要修复请看新闻:http://www.iteye.com/news/28053

简单测试你的action地址:http://www.yourdomian.com/test.action?redirect:http://www.baidu.com  是否跳转到百度

修复struts严重漏洞:升级struts2.2到 struts2.3.1

需要升级以下包:

struts2-core-2.3.15.1.jar

struts2-spring-plugin-2.3.15.1.jar

xwork-core-2.3.15.1.jar

commons-lang3-3.1.jar

ognl-3.0.6.jar

==================================升级错误记录=====================================

启动报以下错误:

2013-7-19 12:15:26 org.apache.catalina.core.StandardContext startInternal

严重: Error filterStart

2013-7-19 12:15:26 org.apache.catalina.core.StandardContext startInternal

严重: Context [] startup failed due to previous errors

2013-7-19 12:15:26 org.apache.catalina.loader.WebappClassLoader clearReferencesJdbc

严重: The web application [] registered the JDBC driver [com.mysql.jdbc.Driver] but failed to unregister it when the web application was stopped. To prevent 

a memory leak, the JDBC Driver has been forcibly unregistered.

2013-7-19 12:15:26 org.apache.catalina.loader.WebappClassLoader clearReferencesThreads

严重: The web application [] appears to have started a thread named [Xmemcached-Reactor-0] but has failed to stop it. This is very likely to create a memory 

leak.

2013-7-19 12:15:26 org.apache.catalina.loader.WebappClassLoader clearReferencesThreads

严重: The web application [] appears to have started a thread named [Xmemcached-Reactor-1] but has failed to stop it. This is very likely to create a memory 

leak.

2013-7-19 12:15:26 org.apache.catalina.loader.WebappClassLoader clearReferencesThreads

严重: The web application [] appears to have started a thread named [Xmemcached-Reactor-2] but has failed to stop it. This is very likely to create a memory 

leak.

2013-7-19 12:15:26 org.apache.catalina.loader.WebappClassLoader clearReferencesThreads

严重: The web application [] appears to have started a thread named [Xmemcached-Reactor-3] but has failed to stop it. This is very likely to create a memory 

leak.

2013-7-19 12:15:26 org.apache.catalina.loader.WebappClassLoader clearReferencesThreads

严重: The web application [] appears to have started a thread named [Heal-Session-Thread] but has failed to stop it. This is very likely to create a memory 

leak.

2013-7-19 12:15:26 org.apache.catalina.loader.WebappClassLoader clearReferencesThreads

严重: The web application [] appears to have started a thread named [MySQL Statement Cancellation Timer] but has failed to stop it. This is very likely to 

create a memory leak.

2013-7-19 12:15:26 org.apache.catalina.loader.WebappClassLoader clearReferencesThreads

严重: The web application [] appears to have started a thread named [startQuartz_Worker-1] but has failed to stop it. This is very likely to create a memory 

leak.

....

实际的错误在:tomcat/logs/localhost.2013-07-19.log 文件中去查看

严重: Exception starting filter struts2

java.lang.NoClassDefFoundError: org/apache/commons/lang3/StringUtils

at com.opensymphony.xwork2.config.providers.XmlConfigurationProvider.register(XmlConfigurationProvider.java:211)

at org.apache.struts2.config.StrutsXmlConfigurationProvider.register(StrutsXmlConfigurationProvider.java:102)

at com.opensymphony.xwork2.config.impl.DefaultConfiguration.reloadContainer(DefaultConfiguration.java:226)

at com.opensymphony.xwork2.config.ConfigurationManager.getConfiguration(ConfigurationManager.java:67)

at org.apache.struts2.dispatcher.Dispatcher.init_PreloadConfiguration(Dispatcher.java:446)

解决:更新comons-lang 到 commons-lang3-3.1版本

严重: Exception starting filter struts2

java.lang.NoSuchMethodError: ognl.SimpleNode.isEvalChain(Lognl/OgnlContext;)Z

at com.opensymphony.xwork2.ognl.OgnlUtil.isEvalExpression(OgnlUtil.java:245)

at com.opensymphony.xwork2.ognl.OgnlUtil.compile(OgnlUtil.java:275)

at com.opensymphony.xwork2.ognl.OgnlUtil.setValue(OgnlUtil.java:230)

at com.opensymphony.xwork2.ognl.OgnlUtil.setValue(OgnlUtil.java:226)

at com.opensymphony.xwork2.ognl.OgnlUtil.internalSetProperty(OgnlUtil.java:459)

at com.opensymphony.xwork2.ognl.OgnlUtil.setProperties(OgnlUtil.java:118)

at com.opensymphony.xwork2.ognl.OgnlUtil.setProperties(OgnlUtil.java:145)

at com.opensymphony.xwork2.ognl.OgnlUtil.setProperties(OgnlUtil.java:132)

at com.opensymphony.xwork2.ognl.OgnlReflectionProvider.setProperties(OgnlReflectionProvider.java:58)

解决:更新ognl 到 ognl-3.0.6版本

升级以后:再次请求你的测试地址:http://www.yourdomian.com/test.action?redirect:http://www.baidu.com

tomcat服务器端打印:


修复struts严重漏洞:升级struts2.2到 struts2.3.1
 

升级过滤器: http://struts.apache.org/development/2.x/docs/webxml.html