RocketMQ upgrades depend on the jar package version

Keywords: Apache network vim xml

Today, we found a new vulnerability in Aliyun's Cloud Security Center, which is called "fastjson < 1.2.60 Remote Denial of Service vulnerability".

Generally speaking, if fastjson version is not updated, attackers may exploit the vulnerability to exhaust the CPU, memory and other resources of the server, and ultimately deny service.
From the affected assets, it can be seen that rocketmq's dependency jar package contains fastjson.

So I think about it carefully. In our several environments, rocketmq of production environment, pre-launch environment and test environment can only be invoked through Ali Cloud Intranet. There is no possibility of being attacked. Only the development environment of Ali Cloud has external network invocation, so the fastjson.jar of rocketmq of development environment needs to be updated to 1.2.60. Edition.

1. Thoughts

Rocketmq, which I installed before, is a binary package that I downloaded directly. This time we need to change the version of dependent package, so we must download the source package of the corresponding version, and then change the version of fastjson in the pom file to 1.2.60, and compile it. After compiling, stop the original rocketmq installation, and copy some files (configuration file, startup file, log directory, storage directory) which have been modified into the new rocketmq, then start the new rockermq.

2. Download source packages for the corresponding version

Download address is
My version of rocketmq is 4.3.0, so download the source package in the figure below.

3. After downloading, the steps are: decompression -> modification of pom file -> compilation and packaging.

[root@devops-01 test]# unzip 
[root@devops-01 test]# cd rocketmq-all-4.3.0
[root@devops-01 rocketmq-all-4.3.0]# vim pom.xml 
[root@devops-01 rocketmq-all-4.3.0]# mvn -Prelease-all -DskipTests clean install -U
[root@devops-01 rocketmq-all-4.3.0]# cd distribution/target

In this directory you will see the packaged installation package.

4. Copy files to the new rocketmq

[root@devops-01 target]# cp /usr/local/rocketmq-4.3.0/conf/broker.conf apache-rocketmq/conf/
[root@devops-01 target]# cp /usr/local/rocketmq-4.3.0/conf/ apache-rocketmq/conf/
[root@devops-01 target]# cp /usr/local/rocketmq-4.3.0/bin/ apache-rocketmq/conf/ apache-rocketmq/bin/
[root@devops-01 target]# cp /usr/local/rocketmq-4.3.0/bin/ apache-rocketmq/conf/ apache-rocketmq/bin/
//The process of killing rocketmq
[root@devops-01 target]# cp -rf /usr/local/rocketmq-4.3.0/logs apache-rocketmq/
[root@devops-01 target]# cp -rf /usr/local/rocketmq-4.3.0/store apache-rocketmq/
[root@devops-01 target]# mv /usr/local/rocketmq-4.3.0 /tmp/
[root@devops-01 target]# mv apache-rocketmq /usr/local/rocketmq-4.3.0

5. Then just start rocketmq

nohup sh /usr/local/rocketmq-4.3.0/bin/mqnamesrv -c /usr/local/rocketmq-4.3.0/conf/ >> /usr/local/rocketmq-4.3.0/logs/mqnamesrv_stdout.log 2>&1 &
nohup sh /usr/local/rocketmq-4.3.0/bin/mqbroker -c /usr/local/rocketmq-4.3.0/conf/broker.conf >> /usr/local/rocketmq-4.3.0/logs/broker_stdout.log 2>&1 &

In this way, the upgrade of rocketmq depends on the version of the jar package. You can go to the new rocketmq to see if the previous topic is still there. Of course, the answer is yes.

Reference article:

Posted by WebbieDave on Fri, 06 Sep 2019 02:34:14 -0700