CN110166459A - A kind of means of defence and device of unserializing loophole - Google Patents

Abstract

The present invention relates to financial technology fields, and disclose the means of defence and device of a kind of unserializing loophole, it is related to field of computer technology, method includes: the request of data that weblogic server receives the transmission of at least one client, determines in request of data whether include T3/T3S protocol data；If it includes T3/T3S protocol data that weblogic server, which determines in request of data, determine whether the IP address of client is trust IP address according to the Internet protocol IP address of client and preconfigured IP address white list；If weblogic server determines that the Internet protocol IP address of client is trust IP address, T3/T3S protocol data is handled.By the way that white list is arranged in weblogic server, the attack of unserializing loophole is prevented as far as possible, improves the safety of weblogic server.

Description

Translated fromChinese

一种反序列化漏洞的防护方法及装置A protection method and device for deserialization vulnerability

技术领域technical field

本发明涉及金融科技(Fintech)技术领域，尤其涉及一种反序列化漏洞的防护方法及装置。The invention relates to the technical field of financial technology (Fintech), in particular to a method and device for protecting deserialization vulnerabilities.

背景技术Background technique

WebLogic是基于Java EE架构的中间件，可作为用于开发、集成、部署和管理大型分布式Web应用、网络应用和数据库应用的Java应用服务器。广泛用于政府、金融、医疗、交通、教育、科研等行业及领域。WebLogic is a middleware based on Java EE architecture, which can be used as a Java application server for developing, integrating, deploying and managing large-scale distributed web applications, network applications and database applications. Widely used in government, finance, medical care, transportation, education, scientific research and other industries and fields.

WebLogic存在Java反序列化漏洞，当攻击者向WebLogic发送精心构造的反序列化数据时，会触发漏洞，会执行攻击者指定的操作，可以控制服务器，窃取数据库中的数据，造成严重影响。WebLogic has a Java deserialization vulnerability. When an attacker sends carefully constructed deserialized data to WebLogic, the vulnerability will be triggered, and the operation specified by the attacker will be executed, which can control the server and steal data in the database, causing serious impact.

现有技术中，通常禁止对存在反序列化漏洞的类进行反序列化，但是现有技术中当出现新的引发反序列漏洞的类时，仍然可以利用漏洞，无法进行防护。且进行替换类、删除类操作时，由于替换的类为Java的基础类，影响范围太大；删除类时会导致依赖该类的功能无法使用，均有可能影响WebLogic的正常功能。In the prior art, it is usually forbidden to deserialize classes with deserialization vulnerabilities, but in the prior art, when a new class that causes deserialization vulnerabilities appears, the loopholes can still be exploited and protection cannot be performed. Moreover, when replacing or deleting classes, because the replaced class is a Java basic class, the scope of influence is too large; when a class is deleted, the functions that depend on the class cannot be used, which may affect the normal functions of WebLogic.

发明内容Contents of the invention

有鉴于此，本发明实施例提供一种反序列化漏洞的防护方法及装置，至少解决了现有技术存在的问题。In view of this, the embodiments of the present invention provide a method and device for protecting deserialization vulnerabilities, which at least solve the problems existing in the prior art.

一方面，本发明实施例提供一种反序列化漏洞的防护方法，应用于WebLogic服务器中，包括:On the one hand, the embodiment of the present invention provides a kind of protection method of deserialization vulnerability, is applied in WebLogic server, comprises:

WebLogic服务器接收至少一个客户端发送的数据请求，确定所述数据请求中是否包括T3/T3S协议数据；The WebLogic server receives a data request sent by at least one client, and determines whether the data request includes T3/T3S protocol data;

若所述WebLogic服务器确定所述数据请求中包括T3/T3S协议数据，则根据所述客户端的网际协议IP地址以及预先配置的IP地址白名单确定所述客户端的IP地址是否为受信任IP地址；If the WebLogic server determines that the data request includes T3/T3S protocol data, then determine whether the IP address of the client is a trusted IP address according to the client's Internet Protocol IP address and a pre-configured IP address white list;

若所述WebLogic服务器确定所述客户端的网际协议IP地址为受信任IP地址，则处理所述T3/T3S协议数据，使请求被正常流程处理。If the WebLogic server determines that the IP address of the client is a trusted IP address, it processes the T3/T3S protocol data so that the request is processed in a normal process.

可选的，所述WebLogic服务器根据所述客户端的网际协议IP地址以及预先配置的IP地址白名单确定所述客户端的IP地址是否为受信任IP地址，包括：Optionally, the WebLogic server determines whether the IP address of the client is a trusted IP address according to the IP address of the client and a pre-configured white list of IP addresses, including:

所述WebLogic服务器执行MuxableSocketT3类时，获取所述WebLogic服务器的启动参数，所述启动参数中包括所述IP地址白名单；When the WebLogic server executes the MuxableSocketT3 class, obtain the startup parameters of the WebLogic server, which includes the IP address whitelist in the startup parameters;

若所述WebLogic服务器确定所述客户端的IP与所述IP地址白名单匹配，则确定所述客户端的IP地址为受信任IP地址。If the WebLogic server determines that the IP of the client matches the IP address whitelist, then determine that the IP address of the client is a trusted IP address.

可选的，所述方法还包括：Optionally, the method also includes:

若所述WebLogic服务器确定所述客户端的IP与所述IP地址白名单不匹配，则拒绝与所述客户端连接，并将所述数据请求作为攻击事件进行记录。If the WebLogic server determines that the IP of the client does not match the IP address whitelist, it refuses to connect with the client, and records the data request as an attack event.

可选的，所述WebLogic服务器接收至少一个客户端发送的数据请求，包括：Optionally, the WebLogic server receives at least one data request sent by the client, including:

所述WebLogic服务器通过代理服务器接收互联网客户端发送的数据请求以及所述WebLogic服务器接收同一局域网的客户端发送的数据请求。The WebLogic server receives the data request sent by the Internet client through the proxy server, and the WebLogic server receives the data request sent by the client of the same local area network.

可选的，所述WebLogic服务器接收至少一个客户端发送的数据请求前，还包括：Optionally, before the WebLogic server receives the data request sent by at least one client, it further includes:

所述WebLogic服务器确定MuxableSocketT3类的位置；所述WebLogic服务器在所述MuxableSocketT3类中增加反序列化漏洞的防护方法的步骤。The WebLogic server determines the position of the MuxableSocketT3 class; the WebLogic server adds the steps of a protection method for deserialization vulnerabilities in the MuxableSocketT3 class.

可选的，所述WebLogic服务器确定MuxableSocketT3类的位置，包括：Optionally, the WebLogic server determines the location of the MuxableSocketT3 class, including:

所述WebLogic服务器根据所述MuxableSocketT3类是否单独存在确定MuxableSocketT3类的位置。The WebLogic server determines the location of the MuxableSocketT3 class according to whether the MuxableSocketT3 class exists independently.

一方面，本发明实施例提供一种反序列化漏洞的防护装置，包括：On the one hand, an embodiment of the present invention provides a protection device for deserialization vulnerabilities, including:

T3/T3S协议数据确定单元，用于接收至少一个客户端发送的数据请求，确定所述数据请求中是否包括T3/T3S协议数据；A T3/T3S protocol data determining unit, configured to receive a data request sent by at least one client, and determine whether the data request includes T3/T3S protocol data;

判断单元，用于若确定所述数据请求中包括T3/T3S协议数据，则根据所述客户端的网际协议IP地址以及预先配置的IP地址白名单确定所述客户端的IP地址是否为受信任IP地址；A judging unit, configured to determine whether the client's IP address is a trusted IP address according to the client's Internet Protocol IP address and a preconfigured IP address whitelist if it is determined that the data request includes T3/T3S protocol data ;

T3/T3S协议数据处理单元，用于若确定所述客户端的网际协议IP地址为受信任IP地址，则处理所述T3/T3S协议数据，使请求被正常流程处理。The T3/T3S protocol data processing unit is configured to process the T3/T3S protocol data if it is determined that the IP address of the client is a trusted IP address, so that the request is processed normally.

可选的，所述判断单元具体用于：Optionally, the judging unit is specifically used for:

执行MuxableSocketT3类时，获取所述WebLogic服务器的启动参数，所述启动参数中包括所述IP地址白名单；When executing the MuxableSocketT3 class, obtain the startup parameters of the WebLogic server, including the IP address whitelist in the startup parameters;

若确定所述客户端的IP与所述IP地址白名单匹配，则确定所述客户端的IP地址为受信任IP地址。If it is determined that the IP of the client matches the white list of IP addresses, then it is determined that the IP address of the client is a trusted IP address.

可选的，所述T3/T3S协议数据处理单元还用于：Optionally, the T3/T3S protocol data processing unit is also used for:

若确定所述客户端的IP与所述IP地址白名单不匹配，则拒绝与所述客户端连接，并将所述数据请求作为攻击事件进行记录。If it is determined that the IP of the client does not match the white list of IP addresses, the connection with the client is refused, and the data request is recorded as an attack event.

可选的，所述T3/T3S协议数据确定单元具体用于：Optionally, the T3/T3S protocol data determining unit is specifically used for:

通过代理服务器接收互联网客户端发送的数据请求以及接收同一局域网的客户端发送的数据请求。The proxy server receives data requests sent by Internet clients and receives data requests sent by clients on the same LAN.

可选的，所述装置还包括配置单元，所述配置单元用于：确定MuxableSocketT3类的位置，在所述MuxableSocketT3类中增加反序列化漏洞的防护方法的步骤。Optionally, the device further includes a configuration unit configured to: determine the location of the MuxableSocketT3 class, and add a deserialization vulnerability protection method to the MuxableSocketT3 class.

可选的，所述配置单元具体用于：Optionally, the configuration unit is specifically used for:

根据所述MuxableSocketT3类是否单独存在确定MuxableSocketT3类的位置。Determine the location of the MuxableSocketT3 class according to whether the MuxableSocketT3 class exists alone.

一方面，本发明实施例提供一种计算机设备，包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序，所述处理器执行所述程序时实现反序列化漏洞的防护方法的步骤。On the one hand, an embodiment of the present invention provides a computer device, including a memory, a processor, and a computer program stored on the memory and operable on the processor. When the processor executes the program, protection against deserialization vulnerabilities is implemented. method steps.

一方面，本发明实施例提供了一种计算机可读存储介质，其存储有可由计算机设备执行的计算机程序，当所述程序在计算机设备上运行时，使得所述计算机设备执行反序列化漏洞的防护方法的步骤。On the one hand, an embodiment of the present invention provides a computer-readable storage medium, which stores a computer program executable by a computer device, and when the program is run on the computer device, the computer device executes the deserialization exploit. Steps in the defense method.

在WebLogic服务器接收客户端发送的数据请求后，若确定该数据请求包括T3/T3S协议数据，则说明可能受到Java反序列化漏洞攻击，所以继续根据IP地址白名单确定该客户端的IP地址是否为受信任的IP地址，若是，则处理T3/T3S协议数据，也就是说，通过在WebLogic服务器中设置白名单，能够有效地阻断不信任的客户端发送的T3/T3S协议数据，尽可能防止反序列化漏洞的攻击，提高了WebLogic服务器的安全性。并且在WebLogic服务器中设置白名单就能够有效防止反序列化漏洞的攻击，对于新出现的类引起的反序列化漏洞也能够进行防护。在防护反序列化漏洞时，没有对Java的基础类或其他公共组件的类进行修改，也没有进行删除类的处理，不会影响WebLogic的正常功能，避免了造成应用运行不稳定等问题。由于设置白名单都是与WebLogic服务器信任度较高的客户端(如内部运维人员使用的服务器)，也不会向WebLogic服务发起攻击，所以解决了现有技术中的问题。After the WebLogic server receives the data request sent by the client, if it is determined that the data request includes T3/T3S protocol data, it may be attacked by the Java deserialization vulnerability, so continue to determine whether the client's IP address is Trusted IP address, if it is, then process T3/T3S protocol data, that is to say, by setting a whitelist in the WebLogic server, it can effectively block the T3/T3S protocol data sent by untrusted clients, preventing as much as possible The attack of the deserialization vulnerability improves the security of the WebLogic server. And setting a whitelist in the WebLogic server can effectively prevent the attack of deserialization vulnerabilities, and can also protect against deserialization vulnerabilities caused by new classes. When defending against deserialization vulnerabilities, the basic classes of Java or other public components are not modified, nor are classes deleted, which will not affect the normal functions of WebLogic and avoid problems such as unstable application operation. Since the whitelist is set to be a client with a high degree of trust with the WebLogic server (such as a server used by internal operation and maintenance personnel), it will not attack the WebLogic service, so the problems in the prior art are solved.

附图说明Description of drawings

图1为本发明实施例提供的一种代理服务器部署在与WebLogic服务器独立的其他服务器的场景示意图；Fig. 1 is a schematic diagram of a scenario in which a proxy server is deployed on other servers independent of the WebLogic server provided by an embodiment of the present invention;

图2为本发明实施例提供的一种将代理应用与WebLogic部署在同一台服务器中的场景示意图；FIG. 2 is a schematic diagram of a scenario in which a proxy application and WebLogic are deployed in the same server provided by an embodiment of the present invention;

图3为本发明实施例提供的一种反序列化漏洞的防护方法的流程示意图；FIG. 3 is a schematic flowchart of a method for protecting deserialization vulnerabilities provided by an embodiment of the present invention;

图4为本发明实施例提供的一种WebLogic的处理流程的示意图；FIG. 4 is a schematic diagram of a WebLogic processing flow provided by an embodiment of the present invention;

图5为本发明实施例提供的一种MuxableSocketT3定位方法的流程示意图；5 is a schematic flow diagram of a MuxableSocketT3 positioning method provided by an embodiment of the present invention;

图6为本发明实施例提供的一种MuxableSocketT3定位方法的流程示意图；6 is a schematic flow diagram of a MuxableSocketT3 positioning method provided by an embodiment of the present invention;

图7为本发明实施例提供的一种反序列化漏洞的防护方法的流程示意图；FIG. 7 is a schematic flowchart of a method for protecting deserialization vulnerabilities provided by an embodiment of the present invention;

图8为本发明实施例提供的一种反序列化漏洞的防护装置的结构示意图；FIG. 8 is a schematic structural diagram of a protection device for deserialization vulnerabilities provided by an embodiment of the present invention;

图9为本发明实施例提供的一种计算机设备的结构示意图。FIG. 9 is a schematic structural diagram of a computer device provided by an embodiment of the present invention.

具体实施方式Detailed ways

为了使本申请的目的、技术方案及有益效果更加清楚明白，以下结合附图及实施例，对本申请进行进一步详细说明。应当理解，此处所描述的具体实施例仅仅用以解释本申请，并不用于限定本申请。In order to make the purpose, technical solutions and beneficial effects of the present application clearer, the present application will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present application, and are not intended to limit the present application.

为了方便理解，下面对本申请实施例中涉及的名词进行解释。For the convenience of understanding, the nouns involved in the embodiments of the present application are explained below.

WebLogic：WebLogic是美国Oracle公司出品的一个application server，确切的说是一个基于JAVAEE(Java平台企业版)架构的中间件，WebLogic是用于开发、集成、部署和管理大型分布式Web应用、网络应用和数据库应用的Java应用服务器。将Java的动态功能和Java Enterprise标准的安全性引入大型网络应用的开发、集成、部署和管理之中。WebLogic: WebLogic is an application server produced by Oracle Corporation in the United States. To be precise, it is a middleware based on JAVAEE (Java Platform Enterprise Edition) architecture. WebLogic is used to develop, integrate, deploy and manage large-scale distributed Web applications and network applications. and a Java application server for database applications. Introduce the dynamic functions of Java and the security of Java Enterprise standard into the development, integration, deployment and management of large-scale network applications.

序列化与反序列化，序列化的过程就是把一个对象变成可以传输的数据，而反序列化的过程就是把序列化数据再变回对象的过程。Serialization and deserialization, the process of serialization is to turn an object into data that can be transmitted, and the process of deserialization is the process of changing serialized data back into an object.

反序列化漏洞，如果Java应用对用户输入，即不可信数据做了反序列化处理，那么攻击者可以通过构造恶意输入，让反序列化产生非预期的对象，非预期的对象在产生过程中就有可能带来任意代码执行。在利用WebLogic Java反序列化漏洞时，需要向WebLogic提供服务的端口发送T3/T3S协议数据包。T3是一种优化协议，用于在WebLogic Server和其他Java程序(包括客户端和其他WebLogic Server)之间传输数据。WebLogic Server会跟踪与其连接的每个Java虚拟机(JVM)，并创建单个T3连接以承载每个JVM的所有流量。T3S是在SSL(Secure Sockets Layer，安全套接字层)上的WebLogic T3协议。Deserialization vulnerability, if the Java application deserializes the user input, that is, untrusted data, then the attacker can construct malicious input to make the deserialization generate unexpected objects, and the unexpected objects are generated during the process It is possible to bring arbitrary code execution. When exploiting the WebLogic Java deserialization vulnerability, it is necessary to send a T3/T3S protocol packet to the port that WebLogic provides services. T3 is an optimized protocol for transferring data between WebLogic Server and other Java programs, including clients and other WebLogic Servers. WebLogic Server keeps track of each Java Virtual Machine (JVM) it is connected to and creates a single T3 connection to carry all traffic for each JVM. T3S is the WebLogic T3 protocol on SSL (Secure Sockets Layer, Secure Sockets Layer).

在具体实践过程中，本发明的发明人发现，在WebLogic的默认服务端口为7001，该端口提供了对HTTP(Hyper Text Transfer Protocol，超文本传输协议)/HTTPS(HypertextTransfer Protocol Secure，超文本安全传输协议)、SNMP(Simple Network ManagementProtocol，简单网络管理协议)、T3/T3S等协议的服务。由于WebLogic的不同协议均使用一个端口，因此无法通过防火墙限制端口访问的方式防护Java反序列化漏洞。而随着金融科技的发展，在金融行业内的金融机构(如银行机构、保险机构和证券机构等)对技术的要求也越来越高。传统反序列化方式严重不符合银行机构等金融机构的要求。所以首先提出一种构思，在客户与银行等金融机构的WebLogic服务器之间增加代理服务器，使Java反序列化漏洞的请求数据被代理服务器过滤，不会发送给WebLogic服务器。In the concrete practice process, the inventor of the present invention finds that the default service port of WebLogic is 7001, and this port provides HTTP (Hyper Text Transfer Protocol, hypertext transfer protocol)/HTTPS (HypertextTransfer Protocol Secure, hypertext secure transmission Protocol), SNMP (Simple Network Management Protocol, Simple Network Management Protocol), T3/T3S and other protocols. Since different protocols of WebLogic use one port, it is impossible to prevent Java deserialization vulnerabilities by restricting port access through firewalls. With the development of financial technology, financial institutions in the financial industry (such as banking institutions, insurance institutions and securities institutions, etc.) have higher and higher requirements for technology. Traditional deserialization methods seriously do not meet the requirements of financial institutions such as banking institutions. Therefore, an idea is first proposed to add a proxy server between the customer and the WebLogic server of a financial institution such as a bank, so that the request data of the Java deserialization vulnerability is filtered by the proxy server and will not be sent to the WebLogic server.

该防护思路是使用户发送的数据中，只有满足HTTP/HTTPS协议的数据可以经过代理服务器进而转发给WebLogic服务器，由于Java反序列化数据的协议为T3/T3S，不满足HTTP/HTTPS协议，因此会被代理服务器进行过滤，WebLogic服务器无法接收到Java反序列化数据，因此可以防护漏洞。The idea of this protection is to make the data sent by the user, only the data that meets the HTTP/HTTPS protocol can be forwarded to the WebLogic server through the proxy server. Since the protocol of Java deserialized data is T3/T3S, which does not meet the HTTP/HTTPS protocol, therefore It will be filtered by the proxy server, and the WebLogic server cannot receive Java deserialized data, so it can prevent vulnerabilities.

但是本申请的申请人在实验过程中发现，代理服务器的位置不同，会导致不同的结果，具体的有几种不同的部署方案：However, the applicant of this application found during the experiment that different locations of the proxy server will lead to different results. Specifically, there are several different deployment schemes:

部署方案1、代理服务器部署在与WebLogic服务器独立的其他服务器，如图1所示，将代理服务器部署在与WebLogic服务器独立的其他服务器时，需要在WebLogic管理台将监听IP地址设置为“0.0.0.0”，使代理服务器可以访问WebLogic提供的服务。Deployment scheme 1. The proxy server is deployed on other servers independent of the WebLogic server. As shown in Figure 1, when the proxy server is deployed on other servers independent of the WebLogic server, the listening IP address needs to be set to "0.0. 0.0", so that the proxy server can access the services provided by WebLogic.

WebLogic提供服务的端口可以保持不变，继续监听原有端口。例如WebLogic原有监听端口为7001，继续使用该端口。The port that WebLogic provides services can remain unchanged and continue to listen to the original port. For example, the original listening port of WebLogic is 7001, continue to use this port.

在这种部署方式下，正常用户可以通过代理服务器正常访问WebLogic提供的服务，攻击者无法通过互联网向WebLogic发送T3/T3S协议的Java反序列化漏洞利用数据包，该种部署方式的局域网中的其他服务器(包括代理服务器)仍然可以正常访问WebLogic提供的T3/T3S协议的服务。In this deployment mode, normal users can normally access the services provided by WebLogic through the proxy server, and attackers cannot send T3/T3S protocol Java deserialization exploit packets to WebLogic through the Internet. Other servers (including proxy servers) can still access the T3/T3S protocol services provided by WebLogic normally.

但是该种部署的缺点是，如图1所示，假如攻击者通过其他漏洞或安全问题控制了局域网中的其他服务器(包括代理服务器)，可以通过被控制机器从局域网内向WebLogic服务器发送Java反序列化漏洞利用数据包，对漏洞进行利用。也就是说，仅能防护通过互联网发起的反序列化漏洞攻击，无法防护局域网内其他服务器发起的漏洞攻击。But the disadvantage of this kind of deployment is that, as shown in Figure 1, if the attacker controls other servers (including proxy servers) in the LAN through other vulnerabilities or security issues, he can send Java reverse sequence from the LAN to the WebLogic server through the controlled machine. Convert the vulnerability exploit data package to exploit the vulnerability. In other words, it can only protect against deserialization vulnerability attacks initiated through the Internet, but cannot protect against vulnerability attacks initiated by other servers in the LAN.

部署方案2、将代理应用与WebLogic部署在同一台服务器中，如图2所示。代理应用可与WebLogic部署在同一台服务器，可将WebLogic监听IP地址设置为“127.0.0.1”；或将监听IP地址设置为“0.0.0.0”，并通过防火墙对允许访问WebLogic服务端口的IP进行限制。通过以上设置，可以限制只有本机能够访问WebLogic提供的服务，其他机器无法访问。例如使用Linux操作系统的iptables命令，设置仅允许“127.0.0.1”IP地址/loopback回环网络接口访问WebLogic的服务端口，可以完成上述限制。Deployment scheme 2. Deploy the proxy application and WebLogic on the same server, as shown in Figure 2. The proxy application can be deployed on the same server as WebLogic, and the WebLogic listening IP address can be set to "127.0.0.1"; or the listening IP address can be set to "0.0.0.0", and the IP that is allowed to access the WebLogic service port is checked limit. Through the above settings, only the local machine can access the services provided by WebLogic, and other machines cannot. For example, use the iptables command of the Linux operating system to set only the "127.0.0.1" IP address/loopback network interface to access the WebLogic service port, which can complete the above restrictions.

WebLogic提供服务的端口需要修改为其他端口，由代理服务器监听WebLogic原本提供服务的端口。例如WebLogic原有监听端口为7001，改为使用8001端口，由代理应用监听7001端口。The port that WebLogic provides services needs to be changed to another port, and the proxy server listens to the port that WebLogic originally provided services. For example, the original listening port of WebLogic is 7001, and port 8001 is used instead, and the proxy application monitors port 7001.

在这种部署方式下，正常用户可以通过代理服务器正常访问WebLogic提供的服务，攻击者无法通过互联网向WebLogic发送T3/T3S协议的Java反序列化漏洞利用数据包，也无法通过被控制的局域网的其他服务器发送。In this deployment mode, normal users can normally access the services provided by WebLogic through the proxy server, and attackers cannot send T3/T3S protocol Java deserialization exploit packets to WebLogic through the Internet, nor can they pass through the controlled LAN. sent by other servers.

但是该种部署方式的缺点是需要修改WebLogic提供服务的端口，并调整网络策略，可能影响正常的业务功能；需要在WebLogic服务器新增代理应用，会增加服务器的性能开销，可能影响正常业务功能；限制了WebLogic的服务端口只能在本机访问，由于无法在局域网其他服务器访问WebLogic提供的T3/T3S服务，会导致只能在WebLogic服务器本机对WebLogic进行命令管理，无法对WebLogic服务进行远程命令管理，降低了WebLogic的可用性，对运维产生了影响；按照以上部署方案进行调整之后，为了验证是否影响正常的业务功能，需要测试的范围较大，会带来较大的测试工作量。However, the disadvantage of this deployment method is that it is necessary to modify the service port provided by WebLogic and adjust the network policy, which may affect normal business functions; it is necessary to add a proxy application to the WebLogic server, which will increase the performance overhead of the server and may affect normal business functions; The service port of WebLogic is limited to local access only. Since the T3/T3S service provided by WebLogic cannot be accessed from other servers in the LAN, it will only be possible to manage WebLogic commands locally on the WebLogic server, and cannot perform remote commands on WebLogic services. Management, which reduces the availability of WebLogic, has an impact on operation and maintenance; after adjusting according to the above deployment plan, in order to verify whether normal business functions are affected, the scope of testing is large, which will bring a large test workload.

基于上述部署的缺点，本申请的申请人进一步改进了反序列化漏洞的防护方法，具体如图3所示，包括以下步骤：Based on the shortcomings of the above-mentioned deployment, the applicant of this application further improved the protection method of the deserialization vulnerability, as shown in Figure 3, including the following steps:

步骤S301，WebLogic服务器接收至少一个客户端发送的数据请求，确定所述数据请求中是否包括T3/T3S协议数据。In step S301, the WebLogic server receives a data request sent by at least one client, and determines whether the data request includes T3/T3S protocol data.

具体的，在本发明实施例中，WebLogic服务器接收至少一个客户端发送的数据请求，一个WebLogic服务器与至少一个客户端连接，并接收客户端发送的数据请求。Specifically, in the embodiment of the present invention, the WebLogic server receives the data request sent by at least one client, and one WebLogic server is connected to at least one client, and receives the data request sent by the client.

一种可选的实施例中，WebLogic服务器接收到的数据请求中包括T3/T3S协议数据，也就是说，该数据请求可能造成反序列化漏洞的攻击。具体的，当需要在WebLogic服务器本机执行WebLogic的停止或启动脚本，客户端会向WebLogic服务器发送T3/T3S协议数据；当需要通过WLST(WebLogic Scripting Tool，WebLogic脚本工具)对WebLogic进行命令方式的配置、管理时，客户端会向WebLogic服务器发送T3/T3S协议数据；当需要编写使用T3/T3S协议进行通信的程序对WebLogic进行监控及管理等功能时，客户端会向WebLogic服务器发送T3/T3S协议数据。In an optional embodiment, the data request received by the WebLogic server includes T3/T3S protocol data, that is, the data request may cause a deserialization vulnerability attack. Specifically, when the WebLogic stop or start script needs to be executed locally on the WebLogic server, the client will send T3/T3S protocol data to the WebLogic server; During configuration and management, the client will send T3/T3S protocol data to the WebLogic server; when it is necessary to write a program using the T3/T3S protocol for communication to monitor and manage WebLogic, the client will send T3/T3S to the WebLogic server protocol data.

步骤S302，若所述WebLogic服务器确定所述数据请求中包括T3/T3S协议数据，则根据所述客户端的网际协议IP地址以及预先配置的IP地址白名单确定所述客户端的IP地址是否为受信任IP地址。Step S302, if the WebLogic server determines that the data request includes T3/T3S protocol data, then determine whether the IP address of the client is trusted according to the IP address of the client and the pre-configured white list of IP addresses IP address.

具体的，在确定WebLogic服务器接收的客户端发送的数据请求中包括T3/T3S协议数据，即说明该数据请求可能为反序列化漏洞利用数据，可能导致WebLogic服务器被攻击，所以为了提高WebLogic服务器的安全性，通过预先配置的IP地址白名单以及发送该T3/T3S协议数据的客户端的IP地址，来判断需要对该T3/T3S协议数据进行正常处理还是拒绝请求。Specifically, it is determined that the data request sent by the client received by the WebLogic server includes T3/T3S protocol data, which means that the data request may be deserialized vulnerability exploit data, which may cause the WebLogic server to be attacked. Therefore, in order to improve the security of the WebLogic server Security, through the pre-configured whitelist of IP addresses and the IP address of the client sending the T3/T3S protocol data, it is judged whether the T3/T3S protocol data needs to be processed normally or the request should be rejected.

可选的通过确定客户端的IP地址是否为受信任的IP地址来确定是否对T3/T3S协议数据进行处理，也就是说，在本发明实施例中，可以认为IP地址白名单中的客户端为安全性较高的客户端，这类客户端的可信度也极高，若这些客户端也被劫持，则可以认为所有的服务器都已被攻击者控制了。Optionally determine whether to process the T3/T3S protocol data by determining whether the IP address of the client is a trusted IP address, that is, in the embodiment of the present invention, it can be considered that the client in the IP address whitelist is Clients with higher security have high credibility. If these clients are also hijacked, it can be considered that all servers have been controlled by attackers.

所以符合IP地址白名单的客户端为可以信任的客户端，该客户端发送的T3/T3S协议数据为可信任的，而不符合IP地址白名单的客户端为不可以信任的客户端，则该客户端发送的T3/T3S协议数据也是不可信任的。Therefore, the client that meets the IP address whitelist is a trustworthy client, and the T3/T3S protocol data sent by the client is trustworthy, while the client that does not meet the IP address whitelist is an untrustworthy client, then The T3/T3S protocol data sent by the client is also untrustworthy.

在本发明实施例中，WebLogic服务器中的IP地址白名单是预先设置的，该IP地址白名单是根据整个网络中各个客户端的安全等级确定的，可选的，在Java程序的启动参数中增加配置文件名，该配置文件名为IP地址白名单，则IP地址白名单改变时，可以通过修改该配置文件或者新增该配置文件或者替换该配置文件来实现。In the embodiment of the present invention, the IP address whitelist in the WebLogic server is preset, and the IP address whitelist is determined according to the security level of each client in the entire network. Optionally, add Configuration file name, the configuration file name is IP address whitelist, when the IP address whitelist is changed, it can be realized by modifying the configuration file or adding the configuration file or replacing the configuration file.

可选的，在本发明实施例中，WebLogic服务器想要实现IP地址白名单的判断，还需要确定在WebLogic服务器中处理T3/T3S的类。Optionally, in the embodiment of the present invention, if the WebLogic server wants to realize the judgment of the IP address whitelist, it also needs to determine the class that processes T3/T3S in the WebLogic server.

具体的，可以通过历史WebLogic Java反序列化漏洞触发时，在WebLogic日志中记录的异常信息来确定WebLogic服务器中处理T3/T3S的类。Specifically, the class that handles T3/T3S in the WebLogic server can be determined through the exception information recorded in the WebLogic log when the historical WebLogic Java deserialization vulnerability is triggered.

在异常信息中包含了漏洞触发时的堆栈信息，根据堆栈信息可以了解WebLogic的处理流程。经过分析发现，当漏洞触发时，WebLogic会按照固定的步骤对T3/T3S协议数据进行处理，分别经过了线程相关类、套接字相关类的处理，最后进行Java反序列化处理，具体过程如图4所示，经过分析后可以确认WebLogic处理T3协议的类为“WebLogic.rjvm.t3.MuxableSocketT3”；处理T3S协议的类为“WebLogic.rjvm.t3.MuxableSocketT3S”，继承自MuxableSocketT3类，且MuxableSocketT3S类中没有对协议处理过程进行修改，因此只需要处理MuxableSocketT3类。The stack information when the vulnerability is triggered is included in the exception information, and the processing flow of WebLogic can be understood according to the stack information. After analysis, it is found that when the vulnerability is triggered, WebLogic will process the T3/T3S protocol data according to the fixed steps, respectively go through thread-related classes, socket-related classes, and finally deserialize Java. The specific process is as follows: As shown in Figure 4, after analysis, it can be confirmed that the class that WebLogic handles the T3 protocol is "WebLogic.rjvm.t3.MuxableSocketT3"; The protocol processing process is not modified in the class, so only the MuxableSocketT3 class needs to be processed.

也就是说，也就是说，修改WebLogic服务器的MuxableSocketT3类，可以增加判断IP地址是否在白名单中的判断过程。In other words, that is to say, modifying the MuxableSocketT3 class of the WebLogic server can increase the judgment process of judging whether the IP address is in the white list.

具体的，在对MuxableSocketT3类进行优化前，需要定位MuxableSocketT3所在的jar包路径，可以通过以下方法对MuxableSocketT3进行定位。Specifically, before optimizing the MuxableSocketT3 class, it is necessary to locate the jar package path where MuxableSocketT3 is located. The following method can be used to locate MuxableSocketT3.

第一种方法，当MuxableSocketT3类单独存在时，在WebLogic中安装任意一个J2EE应用，在应用目录中JSP文件可以被解析的位置创建JSP文件，保存以下内容，用于输出MuxableSocketT3类所在的jar包位置，具体如图5所示，包括：The first method, when the MuxableSocketT3 class exists alone, install any J2EE application in WebLogic, create a JSP file in the application directory where the JSP file can be parsed, and save the following content to output the location of the jar package where the MuxableSocketT3 class is located , specifically as shown in Figure 5, including:

步骤S501，获取WebLogic.rjvm.t3.MuxableSocketT3类的class对象；Step S501, obtaining the class object of the WebLogic.rjvm.t3.MuxableSocketT3 class;

步骤S502，调用上述对象的getResource(””).getPath()方法；Step S502, calling the getResource("").getPath() method of the above object;

步骤S503，获取上述方法返回的MuxableSocketT3类所在jar包路径；Step S503, obtaining the jar package path where the MuxableSocketT3 class returned by the above method is located;

步骤S504，打印MuxableSocketT3类所在jar包路径。Step S504, printing the path of the jar package where the MuxableSocketT3 class is located.

第二种方法，当MuxableSocketT3类存在在jar包中，在WebLogic中安装任意一个J2EE应用，在应用目录中JSP文件可以被解析的位置创建JSP文件，保存以下内容，用于输出MuxableSocketT3类所在的jar包位置，具体如图6所示，包括：The second method, when the MuxableSocketT3 class exists in the jar package, install any J2EE application in WebLogic, create a JSP file in the location where the JSP file can be parsed in the application directory, save the following content, and use it to output the jar where the MuxableSocketT3 class is located The package location, as shown in Figure 6, includes:

步骤S601，获取WebLogic.rjvm.t3.MuxableSocketT3类的class对象；Step S601, obtaining the class object of the WebLogic.rjvm.t3.MuxableSocketT3 class;

步骤S602，调用上述对象的getProtectionDomain().getCodeSource().Step S602, calling getProtectionDomain().getCodeSource() of the above object.

getFile()方法；getFile() method;

步骤S603，获取上述方法返回的MuxableSocketT3类所在jar包路径；Step S603, obtaining the jar package path where the MuxableSocketT3 class returned by the above method is located;

步骤S604，打印MuxableSocketT3类所在jar包路径。Step S604, printing the path of the jar package where the MuxableSocketT3 class is located.

使用浏览器访问上述创建的JSP文件，会输出MuxableSocketT3类所在jar包的完整路径。Use a browser to access the JSP file created above, and the full path of the jar package where the MuxableSocketT3 class is located will be output.

在定位了MuxableSocketT3类所在jar包后，开始改进MuxableSocketT3类的T3/T3S协议处理流程，以便WebLogic服务器能够在接收到T3/T3S协议后，确定客户端的IP地址是否为白名单中的IP地址。After locating the jar package of the MuxableSocketT3 class, start to improve the T3/T3S protocol processing flow of the MuxableSocketT3 class, so that the WebLogic server can determine whether the client's IP address is an IP address in the whitelist after receiving the T3/T3S protocol.

在完成对MuxableSocketT3类的改进后，需要将其所在jar包中的MuxableSocketT3类相关的文件更新为改进后的类，重启WebLogic后即可生效。After completing the improvement of the MuxableSocketT3 class, you need to update the files related to the MuxableSocketT3 class in the jar package where it is located to the improved class, and it will take effect after restarting WebLogic.

通过上述内容可知，若WebLogic服务器确定客户端的IP与IP地址白名单匹配，则确定客户端的IP地址是否为受信任IP地址。It can be seen from the above content that if the WebLogic server determines that the IP address of the client matches the IP address whitelist, it determines whether the IP address of the client is a trusted IP address.

步骤S303，若所述WebLogic服务器确定所述客户端的网际协议IP地址为受信任IP地址，则处理所述T3/T3S协议数据，使请求被正常流程处理。Step S303, if the WebLogic server determines that the IP address of the client is a trusted IP address, process the T3/T3S protocol data so that the request is processed normally.

具体的，当确定了客户端为受信任的客户端后，则执行T3/T3S协议数据，例如WebLogic服务器本机执行WebLogic的停止脚本或启动脚本；或者WebLogic执行命令方式的配置、管理等操作；或者WebLogic执行监控及管理等功能操作。Specifically, when the client is determined to be a trusted client, the T3/T3S protocol data is executed, for example, the WebLogic server locally executes the stop script or start script of WebLogic; or WebLogic executes operations such as configuration and management in command mode; Or WebLogic performs functional operations such as monitoring and management.

一种可选的实施例，当WebLogic服务器确定所述客户端的IP与所述IP地址白名单不匹配，则拒绝与所述客户端连接，并将所述数据请求作为攻击事件进行记录，将攻击事件进行记录可以进行攻击事件的分析。An optional embodiment, when the WebLogic server determines that the IP of the client does not match the IP address whitelist, it refuses to connect with the client, and records the data request as an attack event, and the attack Events can be recorded to analyze attack events.

在本发明实施例中，为了避免WebLogic服务器端口直接在互联网暴露后产生其他潜在的安全问题，也可以在用户与WebLogic服务器之间部署代理服务器，该代理服务器可以部署在单独的服务器，不会增加WebLogic服务器的性能开销，不会影响正常业务；进行验证时，需要测试的范围较小，测试工作量也较小。不会影响正常功能，也不存在Java反序列化漏洞的隐患。In the embodiment of the present invention, in order to avoid other potential security problems after the WebLogic server port is directly exposed on the Internet, a proxy server can also be deployed between the user and the WebLogic server, and the proxy server can be deployed on a separate server without increasing the The performance overhead of the WebLogic server will not affect the normal business; when performing verification, the scope of testing is small and the testing workload is small. It will not affect normal functions, and there is no hidden danger of Java deserialization vulnerabilities.

也就是说，WebLogic服务器通过代理服务器接收互联网客户端发送的数据请求以及WebLogic服务器接收同一局域网的客户端发送的数据请求。不会增加WebLogic服务器的性能开销，不会影响正常业务；进行验证时，需要测试的范围较小，测试工作量也较小。不会影响正常功能，也不存在Java反序列化漏洞的隐患。That is to say, the WebLogic server receives the data request sent by the Internet client through the proxy server and the WebLogic server receives the data request sent by the client of the same local area network. It will not increase the performance overhead of the WebLogic server, and will not affect normal business; when performing verification, the scope of testing required is small, and the testing workload is also small. It will not affect normal functions, and there is no hidden danger of Java deserialization vulnerabilities.

通过本发明上述实施例的内容，在不影响正常用户使用各业务功能的前提下，攻击者无法在互联网利用WebLogic Java反序列化漏洞，也无法在控制局域网其他服务器后利用WebLogic Java反序列化漏洞，与现有技术相比，控制WebLogic提供的T3/T3S服务仅能通过受信任的服务器访问，例如WebLogic服务器本机或运维人员使用的防护措施完善的服务器，能够对未知类造成的Java反序列化漏洞进行防护，在最大程度上保护WebLogic不受Java反序列化漏洞影响；并且允许受信任的其他服务器访问WebLogic提供的T3/T3S服务，可以在受信任的其他服务器对WebLogic服务进行远程命令管理，不影响WebLogic的可用性，不会对运维产生影响；能够在攻击者尝试利用WebLogic Java反序列化漏洞时进行感知，获得威胁情报信息；不需要修改WebLogic提供服务的端口，不需要调整网络策略，不会影响正常的业务功能；不需要在WebLogic服务器新增代理应用，不会增加WebLogic服务器的性能开销，不会影响正常业务；按照本发明实施例中的方法在WebLogic中增加白名单判断之后，为了验证是否影响正常的业务功能，需要测试的范围较小，测试工作量也较小。Through the content of the above-mentioned embodiments of the present invention, under the premise of not affecting the use of various business functions by normal users, attackers cannot use the WebLogic Java deserialization vulnerability on the Internet, nor can they exploit the WebLogic Java deserialization vulnerability after controlling other servers in the LAN Compared with the existing technology, the T3/T3S service provided by WebLogic can only be accessed through a trusted server, such as the WebLogic server itself or a server with complete protection measures used by operation and maintenance personnel, which can prevent Java reflection caused by unknown classes. Serialization vulnerabilities are protected to protect WebLogic from Java deserialization vulnerabilities to the greatest extent; and other trusted servers are allowed to access the T3/T3S services provided by WebLogic, and remote commands to WebLogic services can be performed on other trusted servers Management, does not affect the availability of WebLogic, will not affect the operation and maintenance; can sense when the attacker tries to exploit the WebLogic Java deserialization vulnerability, and obtain threat intelligence information; does not need to modify the port that WebLogic provides services, and does not need to adjust the network strategy, will not affect normal business functions; do not need to add new agent applications in WebLogic server, will not increase the performance overhead of WebLogic server, will not affect normal business; increase white list judgment in WebLogic according to the method in the embodiment of the present invention After that, in order to verify whether normal business functions are affected, the scope of testing is smaller and the workload of testing is smaller.

为了更好的解释本申请实施例，下面结合具体的实施场景描述本申请实施例提供的一种反序列化漏洞的防护方法，该方法应用在银行等金融机构所在的WebLogic服务器中，在WebLogic服务器的Java程序的启动参数中增加配置文件名，即增加了IP地址白名单，用于动态配置允许WebLogic接收T3/T3S协议的受信任IP，即对受信任IP进行修改后，不需要重启WebLogic服务器即可生效。在MuxableSocketT3类用于处理T3/T3S协议数据的dispatch方法中，每次接收到T3/T3S协议请求时，从指定的配置文件中读取受信任IP，判断当前请求IP是否为受信任IP，若为受信任的IP则继续处理T3/T3S协议；若不是受信任的IP则拒绝连接并在特定日志文件中记录攻击事件的详细信息。MuxableSocketT3类的dispatch方法优化后流程如图7所示，应用于WebLogic服务器中，具体步骤为：In order to better explain the embodiment of the present application, the following describes a deserialization vulnerability protection method provided by the embodiment of the present application in combination with specific implementation scenarios. This method is applied to the WebLogic server where financial institutions such as banks are located. The configuration file name is added to the startup parameters of the Java program, that is, the IP address whitelist is added, which is used to dynamically configure the trusted IP that allows WebLogic to receive the T3/T3S protocol, that is, after the trusted IP is modified, there is no need to restart the WebLogic server It will take effect. In the dispatch method of the MuxableSocketT3 class for processing T3/T3S protocol data, each time a T3/T3S protocol request is received, the trusted IP is read from the specified configuration file to determine whether the current request IP is a trusted IP, if If it is a trusted IP, it will continue to process the T3/T3S protocol; if it is not a trusted IP, it will reject the connection and record the detailed information of the attack event in a specific log file. The optimized process of the dispatch method of MuxableSocketT3 class is shown in Figure 7, and it is applied to the WebLogic server. The specific steps are:

步骤S701，接收T3/T3S协议数据；Step S701, receiving T3/T3S protocol data;

步骤S702，获取Java程序启动参数中配置的IP地址白名单；Step S702, obtaining the IP address whitelist configured in the Java program startup parameters;

步骤S703，判断当前的发送T3/T3S协议数据的客户端的IP地址是否与IP地址白名单中的IP地址匹配，若是，则执行步骤S704；否则，执行步骤S705；Step S703, judging whether the current IP address of the client sending T3/T3S protocol data matches the IP address in the IP address whitelist, if so, execute step S704; otherwise, execute step S705;

步骤S704，执行T3/T3S协议数据；Step S704, executing T3/T3S protocol data;

步骤S705，拒绝与客户端的连接，并在将数据请求作为攻击事件进行记录。Step S705, rejecting the connection with the client, and recording the data request as an attack event.

基于相同的技术构思，本申请实施例提供了一种反序列化漏洞的防护装置，如图8所示，该装置800包括：Based on the same technical concept, the embodiment of this application provides a protection device for deserialization vulnerabilities, as shown in Figure 8, the device 800 includes:

T3/T3S协议数据确定单元801，用于接收至少一个客户端发送的数据请求，确定所述数据请求中是否包括T3/T3S协议数据；T3/T3S protocol data determining unit 801, configured to receive a data request sent by at least one client, and determine whether the data request includes T3/T3S protocol data;

判断单元802，用于若确定所述数据请求中包括T3/T3S协议数据，则根据所述客户端的网际协议IP地址以及预先配置的IP地址白名单确定所述客户端的IP地址是否为受信任IP地址；A judging unit 802, configured to determine whether the client's IP address is a trusted IP address according to the client's Internet Protocol IP address and a pre-configured whitelist of IP addresses if it is determined that the data request includes T3/T3S protocol data address;

T3/T3S协议数据处理单元803，用于若确定所述客户端的网际协议IP地址为受信任IP地址，则处理所述T3/T3S协议数据，使请求被正常流程处理。The T3/T3S protocol data processing unit 803 is configured to process the T3/T3S protocol data so that the request is processed normally if it is determined that the IP address of the client is a trusted IP address.

进一步地，判断单元802具体用于：Further, the judging unit 802 is specifically used for:

执行MuxableSocketT3类时，获取所述WebLogic服务器的启动参数，所述启动参数中包括所述IP地址白名单；When executing the MuxableSocketT3 class, obtain the startup parameters of the WebLogic server, including the IP address whitelist in the startup parameters;

若确定所述客户端的IP与所述IP地址白名单匹配，则确定所述客户端的IP地址为受信任IP地址。If it is determined that the IP of the client matches the white list of IP addresses, then it is determined that the IP address of the client is a trusted IP address.

进一步地，T3/T3S协议数据处理单元803还用于：Further, the T3/T3S protocol data processing unit 803 is also used for:

若确定所述客户端的IP与所述IP地址白名单不匹配，则拒绝与所述客户端连接，并将所述数据请求作为攻击事件进行记录。If it is determined that the IP of the client does not match the white list of IP addresses, the connection with the client is refused, and the data request is recorded as an attack event.

进一步地，T3/T3S协议数据确定单元801具体用于：Further, the T3/T3S protocol data determining unit 801 is specifically used for:

通过代理服务器接收互联网客户端发送的数据请求以及接收同一局域网的客户端发送的数据请求。The proxy server receives data requests sent by Internet clients and receives data requests sent by clients on the same LAN.

进一步地，所述装置还包括配置单元804：Further, the device further includes a configuration unit 804:

用于确定MuxableSocketT3类的位置，在所述MuxableSocketT3类中增加反序列化漏洞的防护方法的步骤。Steps for determining the position of the MuxableSocketT3 class and adding a protection method for deserialization vulnerabilities in the MuxableSocketT3 class.

进一步地，所述配置单元804具体用于：Further, the configuration unit 804 is specifically used for:

根据所述MuxableSocketT3类是否单独存在确定MuxableSocketT3类的位置。Determine the location of the MuxableSocketT3 class according to whether the MuxableSocketT3 class exists alone.

基于相同的技术构思，本申请实施例提供了一种计算机设备，如图9所示，包括至少一个处理器901，以及与至少一个处理器连接的存储器902，本申请实施例中不限定处理器901与存储器902之间的具体连接介质，图9中处理器901和存储器902之间通过总线连接为例。总线可以分为地址总线、数据总线、控制总线等。Based on the same technical concept, the embodiment of the present application provides a computer device, as shown in FIG. 9 , including at least one processor 901, and a memory 902 connected to at least one processor. The processor is not limited in the embodiment of the present application. As for the specific connection medium between 901 and memory 902, the bus connection between processor 901 and memory 902 in FIG. 9 is taken as an example. The bus can be divided into address bus, data bus, control bus and so on.

在本申请实施例中，存储器902存储有可被至少一个处理器901执行的指令，至少一个处理器901通过执行存储器902存储的指令，可以执行前述的反序列化漏洞的防护方法中所包括的步骤。In this embodiment of the application, the memory 902 stores instructions that can be executed by at least one processor 901, and at least one processor 901 executes the instructions stored in the memory 902 to execute the aforementioned deserialization vulnerability protection method. step.

其中，处理器901是计算机设备的控制中心，可以利用各种接口和线路连接终端设备的各个部分，通过运行或执行存储在存储器902内的指令以及调用存储在存储器902内的数据，从而获得客户端地址。可选的，处理器901可包括一个或多个处理单元，处理器901可集成应用处理器和调制解调处理器，其中，应用处理器主要处理操作系统、用户界面和应用程序等，调制解调处理器主要处理无线通信。可以理解的是，上述调制解调处理器也可以不集成到处理器901中。在一些实施例中，处理器901和存储器902可以在同一芯片上实现，在一些实施例中，它们也可以在独立的芯片上分别实现。Among them, the processor 901 is the control center of the computer equipment, which can use various interfaces and lines to connect various parts of the terminal equipment, and obtain customer end address. Optionally, the processor 901 may include one or more processing units, and the processor 901 may integrate an application processor and a modem processor. The tuner processor mainly handles wireless communication. It can be understood that the foregoing modem processor may not be integrated into the processor 901 . In some embodiments, the processor 901 and the memory 902 can be implemented on the same chip, and in some embodiments, they can also be implemented on independent chips.

处理器901可以是通用处理器，例如中央处理器(CPU)、数字信号处理器、专用集成电路(Application Specific Integrated Circuit，ASIC)、现场可编程门阵列或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件，可以实现或者执行本申请实施例中公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成，或者用处理器中的硬件及软件模块组合执行完成。The processor 901 may be a general processor, such as a central processing unit (CPU), a digital signal processor, an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), a field programmable gate array or other programmable logic devices, discrete gates or transistors Logic devices and discrete hardware components can implement or execute the methods, steps and logic block diagrams disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the methods disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or implemented by a combination of hardware and software modules in the processor.

存储器902作为一种非易失性计算机可读存储介质，可用于存储非易失性软件程序、非易失性计算机可执行程序以及模块。存储器902可以包括至少一种类型的存储介质，例如可以包括闪存、硬盘、多媒体卡、卡型存储器、随机访问存储器(Random AccessMemory，RAM)、静态随机访问存储器(Static Random Access Memory，SRAM)、可编程只读存储器(Programmable Read Only Memory，PROM)、只读存储器(Read Only Memory，ROM)、带电可擦除可编程只读存储器(Electrically Erasable Programmable Read-Only Memory，EEPROM)、磁性存储器、磁盘、光盘等等。存储器902是能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质，但不限于此。本申请实施例中的存储器902还可以是电路或者其它任意能够实现存储功能的装置，用于存储程序指令和/或数据。The memory 902, as a non-volatile computer-readable storage medium, can be used to store non-volatile software programs, non-volatile computer-executable programs and modules. The memory 902 may include at least one type of storage medium, such as flash memory, hard disk, multimedia card, card-type memory, random access memory (Random Access Memory, RAM), static random access memory (Static Random Access Memory, SRAM), Programmable Read Only Memory (PROM), Read Only Memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Magnetic Memory, Disk, discs and more. Memory 902 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and can be accessed by a computer, but is not limited thereto. The memory 902 in the embodiment of the present application may also be a circuit or any other device capable of implementing a storage function, and is used for storing program instructions and/or data.

基于相同的技术构思，本申请实施例提供了一种计算机可读存储介质，其存储有可由计算机设备执行的计算机程序，当所述程序在计算机设备上运行时，使得所述计算机设备执行反序列化漏洞的防护方法的步骤。Based on the same technical idea, an embodiment of the present application provides a computer-readable storage medium, which stores a computer program executable by a computer device, and when the program is run on the computer device, the computer device executes the reverse sequence The steps of the defense method to optimize the vulnerability.

本领域普通技术人员可以理解：实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成，前述的程序可以存储于一计算机可读取存储介质中，该程序在执行时，执行包括上述方法实施例的步骤；而前述的存储介质包括：移动存储设备、只读存储器(ROM，Read-Only Memory)、随机存取存储器(RAM，Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。Those of ordinary skill in the art can understand that all or part of the steps for realizing the above-mentioned method embodiments can be completed by hardware related to program instructions, and the aforementioned program can be stored in a computer-readable storage medium. When the program is executed, the Including the steps of the foregoing method embodiments; and the foregoing storage medium includes: a removable storage device, a read-only memory (ROM, Read-Only Memory), a random access memory (RAM, Random Access Memory), a magnetic disk or an optical disk, etc. A medium on which program code can be stored.

或者，本申请上述集成的单元如果以软件功能模块的形式实现并作为独立的产品销售或使用时，也可以存储在一个计算机可读取存储介质中。基于这样的理解，本申请实施例的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来，该计算机软件产品存储在一个存储介质中，包括若干指令用以使得一台计算机设备(可以是个人计算机、服务器、或者网络设备等)执行本申请各个实施例所述方法的全部或部分。而前述的存储介质包括：移动存储设备、ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。Alternatively, if the above-mentioned integrated units of the present application are realized in the form of software function modules and sold or used as independent products, they can also be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the embodiment of the present application is essentially or the part that contributes to the prior art can be embodied in the form of a software product. The computer software product is stored in a storage medium and includes several instructions for Make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: various media capable of storing program codes such as removable storage devices, ROM, RAM, magnetic disks or optical disks.

以上所述，仅为本申请的具体实施方式，但本申请的保护范围并不局限于此，任何熟悉本技术领域的技术人员在本申请揭露的技术范围内，可轻易想到变化或替换，都应涵盖在本申请的保护范围之内。因此，本申请的保护范围应以所述权利要求的保护范围为准。The above is only a specific implementation of the application, but the scope of protection of the application is not limited thereto. Anyone familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the application. Should be covered within the protection scope of this application. Therefore, the protection scope of the present application should be determined by the protection scope of the claims.

Claims (14)

1. a kind of means of defence of unserializing loophole, which is characterized in that be applied in weblogic server, the method packetIt includes:

Weblogic server receives the request of data of at least one client transmission, determine in the request of data whether includeT3/T3S protocol data；

If it includes T3/T3S protocol data that the weblogic server, which determines in the request of data, according to the clientInternet protocol IP address and preconfigured IP address white list determine whether the IP address of the client is trustIP address；

If the weblogic server determines that the Internet protocol IP address of the client is trust IP address, institute is handledT3/T3S protocol data is stated, handles request by normal flow.

2. the method according to claim 1, wherein net of the weblogic server according to the clientBorder Protocol IP address and preconfigured IP address white list determine whether the IP address of the client is trust IPLocation, comprising:

When the weblogic server executes MuxableSocketT3 class, the starting ginseng of the weblogic server is obtainedIt counts, includes the IP address white list in the start-up parameter；

If the weblogic server determines that the IP of the client is matched with the IP address white list, it is determined that the visitorThe IP address at family end is trust IP address.

3. according to the method described in claim 2, it is characterized in that, the method also includes:

If the weblogic server determines that the IP of the client and the IP address white list are mismatched, refusal and instituteClient connection is stated, and is recorded using the request of data as attack.

4. the method according to claim 1, wherein the weblogic server receives at least one clientThe request of data of transmission, comprising:

The weblogic server receives the request of data and described that internet client is sent by proxy serverWeblogic server receives the request of data that the client of same local area network is sent.

5. according to the method described in claim 2, it is characterized in that, the weblogic server receives at least one clientBefore the request of data of transmission, further includes:

The weblogic server determines the position of MuxableSocketT3 class；The weblogic server is describedThe step of increasing the means of defence of unserializing loophole in MuxableSocketT3 class.

6. according to the method described in claim 5, it is characterized in that, the weblogic server determinesThe position of MuxableSocketT3 class, comprising:

According to the MuxableSocketT3 class, whether individualism determines the weblogic serverThe position of MuxableSocketT3 class.

7. a kind of protective device of unserializing loophole, which is characterized in that described device includes:

T3/T3S protocol data determination unit determines the data for receiving the request of data of at least one client transmissionIt whether include T3/T3S protocol data in request；

Judging unit is used for if it is determined that including T3/T3S protocol data in the request of data, then according to the net of the clientBorder Protocol IP address and preconfigured IP address white list determine whether the IP address of the client is trust IPLocation；

T3/T3S protocol data processing unit, for if it is determined that the Internet protocol IP address of the client for trust IPLocation then handles the T3/T3S protocol data, handles request by normal flow.

8. device according to claim 7, which is characterized in that the judging unit is specifically used for:

When executing MuxableSocketT3 class, the start-up parameter of the weblogic server is obtained, is wrapped in the start-up parameterInclude the IP address white list；

If it is determined that the IP of the client is matched with the IP address white list, it is determined that the IP address of the client is accreditedAppoint IP address.

9. device according to claim 8, which is characterized in that the T3/T3S protocol data processing unit is also used to:

If it is determined that the IP of the client and the IP address white list mismatch, then refusal is connect with the client, and willThe request of data is recorded as attack.

10. device according to claim 7, which is characterized in that the T3/T3S protocol data determination unit is specifically used for:

The request of data and the client hair for receiving same local area network that internet client is sent are received by proxy serverThe request of data sent.

11. device according to claim 8, which is characterized in that described device further includes configuration unit, the configuration unitFor: it determines the position of MuxableSocketT3 class, increases unserializing loophole in the MuxableSocketT3 classThe step of means of defence.

12. device according to claim 11, which is characterized in that the configuration unit is specifically used for:

According to the MuxableSocketT3 class, whether individualism determines the position of MuxableSocketT3 class.

13. a kind of computer equipment including memory, processor and stores the meter that can be run on a memory and on a processorCalculation machine program, which is characterized in that the processor is realized described in any one of claim 1 to 6 when executing the computer programThe step of method.

14. a kind of computer readable storage medium, which is characterized in that it is stored with the computer journey that can be executed by computer equipmentSequence, when described program is run on a computing device, so that computer is executed as described in any one of claims 1 to 6Method.