高防服务器
  • 电 话:400-808-5836
  • MSN :huad@live.com
  • 客服QQ:4698328 9291215
  • 咨询邮箱:sales@fobhost.com
  • 售后:services@fobhost.com
  • 网 址:https://www.gaofangfuwuqi.cn/
    • 首页 新闻资讯 新闻资讯 jar包升级之解决方案 jackson-mapper-asl

    jar包升级之解决方案 jackson-mapper-asl

    项目背景: 应要求项目进行jar包升级,扫描到的jackson-mapper-asl-1.9.6.jar 具有高危漏洞
    CVE-2018-14718 ==>    cve详情

    描述: 2.9.7 之前的 FasterXML jackson-databind 2.x 可能允许远程攻击者通过利用失败来阻止 slf4j-ext 类进行多态反序列化来执行任意代码。

    当前项目使用的依赖是jackson-mapper-asl-1.9.6.jar

    查阅mvnrepository官网依赖 可知 其最新的更新版本是1.9.13 而上文提到的是 jackson-databaind 两者artifactId 都对应不上,推测jackson-mapper-asl 迁移到了 jackson-databaind.

    打开jackson-mapper-asl的mvn官网地址 发现确实已经迁移到了jackson-databind

    此时我们只需要剔除jackson-mapper-asl的依赖,并加入迁移后的指定版本的依赖即可:

    <!-- https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind --> <dependency>     <groupId>com.fasterxml.jackson.core</groupId>     <artifactId>jackson-databind</artifactId>     <version>2.13.0</version> </dependency>

    而用idea去在项目中查询时却并未发现jackson-mapper-asl,那他是怎么引进来的呢,继续探索发现:

    项目中引入了jackson-jaxrs,而他依赖于jackson-mapper-asl;

    于是点开jackson-jaxrs mvn地址 发现它也前移到了 jackson-jaxrs-json-provider

    查看最新版本引用的jackson-databind版本 发现是想要的

    直接在项目中引入即可

            <dependency>             <groupId>com.fasterxml.jackson.jaxrs</groupId>             <artifactId>jackson-jaxrs-json-provider</artifactId>             <version>2.13.0</version>         </dependency>

    最后启动项目发现报错:

    21:29:36.854 - WARN [org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext:551] - Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'sessionManage': Cannot create inner bean 'org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider#6f74669c' of type [org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider] while setting bean property 'providers' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider#6f74669c': Failed to introspect bean class [org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider] for lookup method metadata: could not find class that it depends on; nested exception is java.lang.NoClassDefFoundError: org/codehaus/jackson/map/JsonMappingException 21:29:36.866 - ERROR [org.springframework.boot.SpringApplication:771] - Application startup failed org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'sessionManage': Cannot create inner bean 'org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider#6f74669c' of type [org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider] while setting bean property 'providers' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider#6f74669c': Failed to introspect bean class [org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider] for lookup method metadata: could not find class that it depends on; nested exception is java.lang.NoClassDefFoundError: org/codehaus/jackson/map/JsonMappingException     at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:313)

    点开对应的配置文件,是配置的javaBean找不到了

    联想到jackson-databind迁移以后权限定类名的改变

    打开jackson-databind的包 找到对应的JacksonJaxbJsonProvider类的全限定类名 复制粘贴替换即可

    [温馨提示:高防服务器能助您降低 IT 成本,提升运维效率,使您更专注于核心业务创新。]

    [图文来源于网络,不代表本站立场,如有侵权,请联系高防服务器网删除]