目前dubbo版本使用2.6.4版本
生产要求升级至2.6.12、2.7.15、3.0.5及以上版本
根据实际情况,现将dubbo版本升级至2.7.15
一、dubbo漏洞情景一
原依赖
<dependency>
<groupId>org.apache.dubbo</groupId>
<artifactId>dubbo-spring-boot-starter</artifactId>
<version>2.0.0</version>
</dependency>
<dependency>
<groupId>org.apache</groupId>
<artifactId>dubbo</artifactId>
<version>2.6.4</version>
</dependency>
<dependency>
<groupId>org.apache.zookeeper</groupId>
<artifactId>zookeeper</artifactId>
<version>3.4.6</version>
</dependency>
<dependency>
<groupId>org.apache.curator</groupId>
<artifactId>curator-recipes</artifactId>
<version>2.12.0</version>
<exclusions>
<exclusion>
<groupId>org.apache.zookeeper</groupId>
<artifactId>zookeeper</artifactId>
</exclusion>
</exclusions>
</dependency>
升级后依赖
<dependency>
<groupId>org.apache.dubbo</groupId>
<artifactId>dubbo-spring-boot-starter</artifactId>
<version>2.7.15</version>
</dependency>
<dependency>
<groupId>org.apache</groupId>
<artifactId>dubbo</artifactId>
<version>2.7.15</version>
</dependency>
<dependency>
<groupId>org.apache.zookeeper</groupId>
<artifactId>zookeeper</artifactId>
<version>3.4.6</version>
</dependency>
<dependency>
<groupId>org.apache.curator</groupId>
<artifactId>curator-recipes</artifactId>
<version>4.2.0</version>
<exclusions>
<exclusion>
<groupId>org.apache.zookeeper</groupId>
<artifactId>zookeeper</artifactId>
</exclusion>
</exclusions>
</dependency>
鉴于dubbo2.7.x之后的版本alibaba交由apache管理,故将程序中包含com.alibaba.dubbo的引用修改为org.apache.dubbo
//基于生产情况,将@EnableDubboConfiguration修改为@EnableDubbo
// import com.alibaba.dubbo.spring.boot.annotation.EnableDubboConfiguration;
import org.apache.dubbo.config.spring.context.annotation.EnableDubbo;
二:dubbo漏洞场景二
原依赖
<dependency>
<groupId>org.apache</groupId>
<artifactId>dubbo</artifactId>
<version>2.6.4</version>
</dependency>
现依赖
<dependency>
<groupId>org.apache</groupId>
<artifactId>dubbo</artifactId>
<version>2.7.15</version>
</dependency>
<dependency>
<groupId>com.alibaba.spring</groupId>
<artifactId>spring-context-support</artifactId>
<version>1.0.11</version>
</dependency>
//基于生产情况,将@EnableDubboConfiguration修改为@EnableDubbo
// import com.alibaba.dubbo.spring.boot.annotation.EnableDubboConfiguration;
import org.apache.dubbo.config.spring.context.annotation.EnableDubbo;
//spring-context-support.jar支Reference注解,无需替换为apache的@DubboReference
三、dubbo漏洞场景三
该生产版本是spring项目,使用applicationContext.xml文件配置dubbo
原依赖及文件不可考,现仅展示修复方式
替换如下依赖
该生产版本的spring框架版本过低,升级spring及dubbo相关依赖
补充:还需新增curator-recipes-2.9.1.jar依赖
//applicationContext.xml修改头信息
//将alibaba的dubbo地址修改为apache的dubbo地址
//xmlns:dubbo="http://dubbo.apache.org/schema/dubbo"
//http://dubbo.apache.org/schema/dubbo //http://dubbo.apache.org/schema/dubbo/dubbo.xsd
//修改后头信息如下
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:task="http://www.springframework.org/schema/task"
xmlns:jee="http://www.springframework.org/schema/jee" xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:dubbo="http://dubbo.apache.org/schema/dubbo"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd
http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-3.0.xsd
http://www.springframework.org/schema/lang http://www.springframework.org/schema/lang/spring-lang-3.0.xsd
http://www.springframework.org/schema/jms http://www.springframework.org/schema/jms/spring-jms-3.0.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://dubbo.apache.org/schema/dubbo http://dubbo.apache.org/schema/dubbo/dubbo.xsd"
default-lazy-init="true">