现象描述
最近,有一个两年前的业务,一直在稳定运行。最近几天,我发现业务经常不可用。后来,操作和维护每天重新启动网关来解决这个问题。一开始,我没有太注意,认为服务器不稳定。后来,查看了日志,发现了以下错误信息: 
除了图片,报错日志还单独放文本
java.lang.IndexOutOfBoundsException: Index: 0, Size: 0 at java.util.ArrayList.rangeCheck(ArrayList.java:657) ~[na:1.8.0_161] at java.util.ArrayList.get(ArrayList.java:433) ~[na:1.8.0_161] at org.springframework.cloud.gateway.route.RouteDefinitionRouteLocator.combinePredicates(RouteDefinitionRouteLocator.java:213) ~[spring-cloud-gateway-core-2.1.2.RELEASE.jar!/:2.1.2.RELEASE] at org.springframework.cloud.gateway.route.RouteDefinitionRouteLocator.convertToRoute(RouteDefinitionRouteLocator.java:142) ~[spring-cloud-gateway-core-2.1.2.RELEASE.jar!/:2.1.2.RELEASE] at reactor.core.publisher.FluxMap$MapSubscriber.onNext(FluxMap.java:100) ~[reactor-core-3.2.11.RELEASE.jar!/:3.2.11.RELEASE] at reactor.core.publisher.FluxFlatMap$FlatMapMain.drainLoop(FluxFlatMap.java:664) ~[reactor-core-3.2.11.RELEASE.jar!/:3.2.11.RELEASE] at reactor.core.publisher.FluxFlatMap$FlatMapMain.drain(FluxFlatMap.java:540) ~[reactor-core-3.2.11.RELEASE.jar!/:3.2.11.RELEASE] at reactor.core.publisher.FluxFlatMap$FlatMapInner.onSubscribe(FluxFlatMap.java:924) ~[reactor-core-3.2.11.RELEASE.jar!/:3.2.11.RELEASE] at reactor.core.publisher.FluxIterable.subscribe(FluxIterable.java:139) ~[reactor-core-3.2.11.RELEASE.jar!/:3.2.11.RELEASE] at reactor.core.publisher.FluxIterable.subscribe(FluxIterable.java:63) ~[reactor-core-3.2.11.RELEASE.jar!/:3.2.11.RELEASE] at reactor.core.publisher.Flux.subscribe(Flux.java:7921) ~[reactor-core-3.2.11.RELEASE.jar!/:3.2.11.RELEASE] at reactor.core.publisher.FluxFlatMap$FlatMapMain.onNext(FluxFlatMap.java:389) ~[reactor-core-3.2.11.RELEASE.jar!/:3.2.11.RELEASE] at reactor.core.publisher.FluxIterable$IterableSubscription.slowPath(FluxIterable.java:243) ~[reactor-core-3.2.11.RELEASE.jar!/:3.2.11.RELEASE]
at reactor.core.publisher.FluxIterable$IterableSubscription.request(FluxIterable.java:201) ~[reactor-core-3.2.11.RELEASE.jar!/:3.2.11.RELEASE]
at reactor.core.publisher.FluxFlatMap$FlatMapMain.onSubscribe(FluxFlatMap.java:335) ~[reactor-core-3.2.11.RELEASE.jar!/:3.2.11.RELEASE]
at reactor.core.publisher.FluxIterable.subscribe(FluxIterable.java:139) ~[reactor-core-3.2.11.RELEASE.jar!/:3.2.11.RELEASE]
at reactor.core.publisher.FluxIterable.subscribe(FluxIterable.java:63) ~[reactor-core-3.2.11.RELEASE.jar!/:3.2.11.RELEASE]
at reactor.core.publisher.FluxFlatMap.subscribe(FluxFlatMap.java:97) ~[reactor-core-3.2.11.RELEASE.jar!/:3.2.11.RELEASE]
这个是Spring Cloud Gateway 远程代码执行漏洞(CVE-2022-22947)导致的。详细漏洞描述参见: https://tanzu.vmware.com/security/cve-2022-22947
哎,估计近期这台服务器上的业务被人盯上了,安全第一,我分为两步解决此问题。
解决方案
方案一(临时方案):在生产上禁用 Gateway actuator 接口
方式一:关闭暴露监控端点
management:
endpoints:
enabled-by-default: false
web:
exposure:
include: '*'
方式二:关闭网关的端点
management:
endpoint:
gateway:
enabled: false
方案二
升级Spring Cloud Gateway的版本至最新版本 详见https://cloud.tencent.com/developer/article/1950978
官方的ISSUE说明:
- https://github.com/spring-cloud/spring-cloud-gateway/issues/1915
- https://github.com/spring-cloud/spring-cloud-gateway/issues/2542
项目案例
MateCloud微服务项目已经升级至最新的安全版本,所有源码均开源,请参见: https://gitee.com/matevip/matecloud