几个月以来,我们一直在使用漏洞扫描程序 (Rapid 7),它抱怨 bcel 包存在漏洞。Red Hat 发布了更新包,但尚未找到进入 Centos 7 存储库的方法。到目前为止,我能找到的唯一建议是更新到 Centos 存储库中 bcel 的最新版本,但这没有帮助,因为最新版本似乎存在漏洞。而且我找不到要手动安装的 rpm。
我在 Red Hat 找到的信息:https://access.redhat.com/security/cve/cve-2022-42920
当前安装:
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.nforce.com
* epel: ftp.nluug.nl
* extras: centos.mirror.transip.nl
* updates: centos.mirror.transip.nl
Installed Packages
Name : bcel
Arch : noarch
Version : 5.2
Release : 18.el7
Size : 525 k
Repo : installed
From repo : base
Summary : Byte Code Engineering Library
URL : http://commons.apache.org/proper/commons-bcel/
License : ASL 2.0
Description : The Byte Code Engineering Library (formerly known as JavaClass) is
: intended to give users a convenient possibility to analyze, create, and
: manipulate (binary) Java class files (those ending with .class). Classes
: are represented by objects which contain all the symbolic information of
: the given class: methods, fields and byte code instructions, in
: particular. Such objects can be read from an existing file, be
: transformed by a program (e.g. a class loader at run-time) and dumped to
: a file again. An even more interesting application is the creation of
: classes from scratch at run-time. The Byte Code Engineering Library
: (BCEL) may be also useful if you want to learn about the Java Virtual
: Machine (JVM) and the format of Java .class files. BCEL is already
: being used successfully in several projects such as compilers,
: optimizers, obsfuscators and analysis tools, the most popular probably
: being the Xalan XSLT processor at Apache.
有人能建议如何处理这种情况吗?这种情况似乎比我意识到的更频繁地发生。