Today, we found a new vulnerability in Aliyun's Cloud Security Center, which is called "fastjson < 1.2.60 Remote Denial of Service vulnerability".
Generally speaking, if fastjson version is not updated, attackers may exploit the vulnerability to exhaust the CPU, memory and other resources of the server, and ultimately deny service.
From the affected assets, it can be seen that rocketmq's dependency jar package contains fastjson.
So I think about it carefully. In our several environments, rocketmq of production environment, pre-launch environment and test environment can only be invoked through Ali Cloud Intranet. There is no possibility of being attacked. Only the development environment of Ali Cloud has external network invocation, so the fastjson.jar of rocketmq of development environment needs to be updated to 1.2.60. Edition.
1. Thoughts
Rocketmq, which I installed before, is a binary package that I downloaded directly. This time we need to change the version of dependent package, so we must download the source package of the corresponding version, and then change the version of fastjson in the pom file to 1.2.60, and compile it. After compiling, stop the original rocketmq installation, and copy some files (configuration file, startup file, log directory, storage directory) which have been modified into the new rocketmq, then start the new rockermq.
2. Download source packages for the corresponding version
Download address is http://rocketmq.apache.org/dowloading/releases/
My version of rocketmq is 4.3.0, so download the source package in the figure below.
3. After downloading, the steps are: decompression -> modification of pom file -> compilation and packaging.
[root@devops-01 test]# unzip rocketmq-all-4.3.0-source-release.zip
[root@devops-01 test]# cd rocketmq-all-4.3.0
[root@devops-01 rocketmq-all-4.3.0]# vim pom.xml
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.60</version>
</dependency>
[root@devops-01 rocketmq-all-4.3.0]# mvn -Prelease-all -DskipTests clean install -U
[root@devops-01 rocketmq-all-4.3.0]# cd distribution/target
In this directory you will see the packaged installation package.
4. Copy files to the new rocketmq
[root@devops-01 target]# cp /usr/local/rocketmq-4.3.0/conf/broker.conf apache-rocketmq/conf/ [root@devops-01 target]# cp /usr/local/rocketmq-4.3.0/conf/nameser.properties apache-rocketmq/conf/ [root@devops-01 target]# cp /usr/local/rocketmq-4.3.0/bin/runserver.sh apache-rocketmq/conf/runserver.sh apache-rocketmq/bin/ [root@devops-01 target]# cp /usr/local/rocketmq-4.3.0/bin/runbroker.sh apache-rocketmq/conf/runserver.sh apache-rocketmq/bin/ //The process of killing rocketmq [root@devops-01 target]# cp -rf /usr/local/rocketmq-4.3.0/logs apache-rocketmq/ [root@devops-01 target]# cp -rf /usr/local/rocketmq-4.3.0/store apache-rocketmq/ [root@devops-01 target]# mv /usr/local/rocketmq-4.3.0 /tmp/ [root@devops-01 target]# mv apache-rocketmq /usr/local/rocketmq-4.3.0
5. Then just start rocketmq
nohup sh /usr/local/rocketmq-4.3.0/bin/mqnamesrv -c /usr/local/rocketmq-4.3.0/conf/nameser.properties >> /usr/local/rocketmq-4.3.0/logs/mqnamesrv_stdout.log 2>&1 & nohup sh /usr/local/rocketmq-4.3.0/bin/mqbroker -c /usr/local/rocketmq-4.3.0/conf/broker.conf >> /usr/local/rocketmq-4.3.0/logs/broker_stdout.log 2>&1 &
In this way, the upgrade of rocketmq depends on the version of the jar package. You can go to the new rocketmq to see if the previous topic is still there. Of course, the answer is yes.
Reference article: http://rocketmq.apache.org/docs/quick-start/