问题
I have the same problem as in the question, the only answer is to upgrade the spring-boot version to 2.0.6. However, I currently have version 2.1.6.RELEASE and I still have the same vulnerability in the report.
回答1:
Your scan report should have an abstract, explanation, and recommendation for the issue. (Here are a few links to help you generate the report - Fortify file (.fpr file) to PDF convertion, How do I generate a report that has all the issues?)
In short, this issue is because SpringBoot Actuator exposes JMX management endpoints by default. JMX uses Java serialization to send/receive messages, an attacker that is able to connect and authenticate to the Actuator JMX endpoints will be able to send a malicious Java serialization payload which may run arbitrary code upon deserialization by the JMX endpoint.
Fix: SpringBoot Actuator JMX endpoints may be disabled by adding the following properties to the application.properties file:
endpoints.jmx.enabled=false
management.endpoints.jmx.exposure.exclude=*
Note: endpoints.jmx.enabled=false is deprecated
There's also a nice answer on MicroFocus
来源:https://stackoverflow.com/questions/61141809/forttify-dynamic-code-evaluation-unsafe-deserialization-on-spring-boot-actuator