Nacos升级到2.2.1

升级原因

因为NVDB-CNVDB-2023674205漏洞，客户要求对Nacos进行安全加固。

NVDB-CNVDB-2023674205漏洞：Nacos 是一款构建云原生应用的服务管理平台，其在默认配置下未对密钥进行修改，导致攻击者可以绕过密钥认证进入后台，造成系统受控等后果。

具体表现为，在application.properties文件中的配置项具有默认值，而多数用户不修改导致。nacos.core.auth.default.token.secret.key=SecretKey012345678901234567890123456789012345678901234567890123456789

理论上，Nacos作为私域应用，不面向互联网开放，该漏洞可以无视。但客户就是上帝，上帝的话不得不听。

解决方案

将Nacos升级到最新版本。

最新版本下载地址：https://github.com/alibaba/nacos/releases

最新版本中，nacos.core.auth.default.token.secret.key被弃用，取而代之的是nacos.core.auth.plugin.nacos.token.secret.key，且没有默认值。直接启动将会报错如下（报错信息夹杂在繁多的错误提示中，很不明显）：

2023-03-29 14:52:48,107 ERROR Error starting Tomcat context. Exception: org.springframework.beans.factory.UnsatisfiedDependencyException. Message: Error creating bean with name 'basicAuthenticationFilter' defined in class path resource [com/alibaba/nacos/prometheus/filter/PrometheusAuthFilter.class]: Unsatisfied dependency expressed through method 'basicAuthenticationFilter' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'nacosAuthConfig' defined in URL [jar:file:/D:/downloads/nacos/target/nacos-server.jar!/BOOT-INF/lib/nacos-plugin-default-impl-2.2.1.jar!/com/alibaba/nacos/plugin/auth/impl/NacosAuthConfig.class]: Unsatisfied dependency expressed through constructor parameter 1; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'tokenManagerDelegate': Unsatisfied dependency expressed through field 'jwtTokenManager'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'jwtTokenManager' defined in URL [jar:file:/D:/downloads/nacos/target/nacos-server.jar!/BOOT-INF/lib/nacos-plugin-default-impl-2.2.1.jar!/com/alibaba/nacos/plugin/auth/impl/token/impl/JwtTokenManager.class]: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.alibaba.nacos.plugin.auth.impl.token.impl.JwtTokenManager]: Constructor threw exception; nested exception is java.lang.IllegalArgumentException: the length of secret key must great than or equal 32 bytes; And the secret key  must be encoded by base64.Please see https://nacos.io/zh-cn/docs/v2/guide/user/auth.html

可以通过以下地址生成密钥。https://base64.us/