general java

spring 보안 이슈 (cve-2018-1275)

'김용환' 2018. 4. 11. 11:35

스프링 보안 이슈(https://spring.io/blog/2018/04/09/cve-2018-1275-address-partial-fix-for-cve-2018-1270)가 발생했다.


Spring Framework, versions 5.0.x prior to 5.0.5 and versions 4.3.x prior to 4.3.16, and older unsupported versions allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.


https://spring.io/blog/2018/04/05/multiple-cve-reports-published-for-the-spring-framework




spring 2.0.1과 spring 1.5.12를 사용하길 권고한다고 떴다.


https://spring.io/blog/2018/04/05/spring-boot-2-0-1-available-now


https://spring.io/blog/2018/04/10/spring-boot-1-5-12-available-now



요약하면.



Spring Framework 5.0.x ->Spring Framework 5.0.5 로 업그레이드

Spring Framework 4.3.x -> Spring Framework 4.3.16 로 업그레이드


Spring Boot 2.0.0 -> Spring Boot 2.0.1로 업그레이드

Spring Boot 1.x.0 -> Spring Boot 1.5.12로 업그레이드