Nacos升级到2.2.1
因为NVDB-CNVDB-2023674205漏洞,客户要求对Nacos进行安全加固。Nacos 是一款构建云原生应用的服务管理平台,其在默认配置下未对密钥进行修改,导致攻击者可以绕过密钥认证进入后台,造成系统受控等后果。具体表现为,在application.properties文件中的配置项具有默认值,而多数用户不修改导致。理论上,Nacos作为私域应用,不面向互联网开放,该漏洞可以无视。但客户
升级原因
因为NVDB-CNVDB-2023674205漏洞,客户要求对Nacos进行安全加固。
NVDB-CNVDB-2023674205漏洞:Nacos 是一款构建云原生应用的服务管理平台,其在默认配置下未对密钥进行修改,导致攻击者可以绕过密钥认证进入后台,造成系统受控等后果。
具体表现为,在application.properties文件中的配置项具有默认值,而多数用户不修改导致。nacos.core.auth.default.token.secret.key=SecretKey012345678901234567890123456789012345678901234567890123456789
理论上,Nacos作为私域应用,不面向互联网开放,该漏洞可以无视。但客户就是上帝,上帝的话不得不听。
解决方案
将Nacos升级到最新版本。
最新版本下载地址:https://github.com/alibaba/nacos/releases
最新版本中,nacos.core.auth.default.token.secret.key被弃用,取而代之的是nacos.core.auth.plugin.nacos.token.secret.key,且没有默认值。直接启动将会报错如下(报错信息夹杂在繁多的错误提示中,很不明显):
2023-03-29 14:52:48,107 ERROR Error starting Tomcat context. Exception: org.springframework.beans.factory.UnsatisfiedDependencyException. Message: Error creating bean with name 'basicAuthenticationFilter' defined in class path resource [com/alibaba/nacos/prometheus/filter/PrometheusAuthFilter.class]: Unsatisfied dependency expressed through method 'basicAuthenticationFilter' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'nacosAuthConfig' defined in URL [jar:file:/D:/downloads/nacos/target/nacos-server.jar!/BOOT-INF/lib/nacos-plugin-default-impl-2.2.1.jar!/com/alibaba/nacos/plugin/auth/impl/NacosAuthConfig.class]: Unsatisfied dependency expressed through constructor parameter 1; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'tokenManagerDelegate': Unsatisfied dependency expressed through field 'jwtTokenManager'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'jwtTokenManager' defined in URL [jar:file:/D:/downloads/nacos/target/nacos-server.jar!/BOOT-INF/lib/nacos-plugin-default-impl-2.2.1.jar!/com/alibaba/nacos/plugin/auth/impl/token/impl/JwtTokenManager.class]: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.alibaba.nacos.plugin.auth.impl.token.impl.JwtTokenManager]: Constructor threw exception; nested exception is java.lang.IllegalArgumentException: the length of secret key must great than or equal 32 bytes; And the secret key must be encoded by base64.Please see https://nacos.io/zh-cn/docs/v2/guide/user/auth.html
可以通过以下地址生成密钥。https://base64.us/
更多推荐
所有评论(0)