Forttify dynamic-code-evaluation-unsafe-deserialization on Spring Boot Actuator 2.1.6

心不动则不痛 提交于 2021-02-10 14:47:47

问题


I have the same problem as in the question, the only answer is to upgrade the spring-boot version to 2.0.6. However, I currently have version 2.1.6.RELEASE and I still have the same vulnerability in the report.


回答1:


Your scan report should have an abstract, explanation, and recommendation for the issue. (Here are a few links to help you generate the report - Fortify file (.fpr file) to PDF convertion, How do I generate a report that has all the issues?)

In short, this issue is because SpringBoot Actuator exposes JMX management endpoints by default. JMX uses Java serialization to send/receive messages, an attacker that is able to connect and authenticate to the Actuator JMX endpoints will be able to send a malicious Java serialization payload which may run arbitrary code upon deserialization by the JMX endpoint.


Fix: SpringBoot Actuator JMX endpoints may be disabled by adding the following properties to the application.properties file:

endpoints.jmx.enabled=false
management.endpoints.jmx.exposure.exclude=*

Note: endpoints.jmx.enabled=false is deprecated

There's also a nice answer on MicroFocus



来源:https://stackoverflow.com/questions/61141809/forttify-dynamic-code-evaluation-unsafe-deserialization-on-spring-boot-actuator

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!