一、jackson-databind漏洞
国家信息安全漏洞库:http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201906-867
二、发现项目中有使用2.6.3版本的jackson,所以进行升级
jackson-databind 升级到2.9.9.1、 jackson-core升级到2.9.9
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
<version>2.9.9</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.9.9.1</version>
</dependency>
三、测试环境发布时,报错,如下
2019-07-24 20:59:52,770 ERROR localhost-startStop-1 [TomcatStarter] Error starting Tomcat context.
Exception: org.springframework.beans.factory.BeanCreationException.
Message: Error creating bean with name 'httpPutFormContentFilter' defined in class path resource [org/springframework/boot/autoconfigure/web/WebMvcAutoConfiguration.class]: Bean instantiation via factory method failed;
nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.boot.web.filter.OrderedHttpPutFormContentFilter]: Factory method 'httpPutFormContentFilter' threw exception;
nested exception is java.lang.NoClassDefFoundError: Could not initialize class com.fasterxml.jackson.databind.ObjectMapper
2019-07-24 20:59:52,836 INFO main [StandardService] Stopping service [Tomcat]
2019-07-24 20:59:52,983 WARN localhost-startStop-1 [WebappClassLoaderBase] The web application [express-as] appears to have started a thread named [RxIoScheduler-1 (Evictor)] but has failed to stop it. This is very likely to create a memory leak. Stack trace of thread:
sun.misc.Unsafe.park(Native Method)
java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:215)
java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos(AbstractQueuedSynchronizer.java:2078)
java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:1093)
java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:8