EC9.0 Full Patch
Official version:10.70 Operating environment:Windows/Linux
Updated:2024-09-10
|
EC8.0 Full Patch
Official version:10.70 Operating environment:Windows/Linux
Updated:2024-09-10
|
Incremental patch based on 10.56 (EC9.0)
Official version:10.70 Operating environment:Windows/Linux
Updated:2024-09-10
|
Incremental patch based on 10.56 (EC8.0)
Official version:10.70 Operating environment:Windows/Linux
Updated:2024-09-10
|
Incremental patch based on 10.63 (EC9.0)
Official version:10.70 Operating environment:Windows/Linux
Updated:2024-09-10
|
Incremental patch based on 10.63 (EC8.0)
Official version:10.70 Operating environment:Windows/Linux
Updated:2024-09-10
|
Security patches for EC7.0 and below
Official version: 6.51 Operating environment: Windows/Linux
Updated:
2024-09-10
MD5:EB57356B1AD0D45C32CB033AA4A861D8
|
EC10.0 Security Patch
Official version:1.26.0-hotfix2 Operating environment:Windows/Linux
Updated:2024-09-10
MD5:02544A581CA3DAE4D7E8E1BA6B3D83F4
|
RASP INSTALL PACKAGE
Official version:2.0.5 Operating environment:Windows/Linux
Updated:2022-11-07
MD5:5ed111a3da49a83f5ec6b4a729bad951
|
RASP INSTALL Document
Official version:2.0.5
Updated:2022-08-22
MD5:c65ba5d7dee18a564a2802334ed538fe
|
RASP Upgrade Package
Official version:2.0.5 Operating environment:Windows/Linux
Updated:2022-11-07
MD5:b218226ca46e02ba7008b40de8b49e62
|
RASP Upgrade Document
Official version:2.0.4
Updated:2022-08-22
MD5:83a9b9bd632dfe8995c28834ba6f748c
|
ECOLOGY Security Patch Configuration Instructions
Updated: 2019-08-29
|
System operation safety recommendations
Updated: 2019-02-27
|
a. A length of at least 13 digits or more< Br> b. Contains both uppercase and lowercase letters, numbers, and special characters< Br> c. There is no obvious input pattern on the keyboard, such as: 1qaz@wsx For example, this password may seem like a strong password, but there are obvious input patterns on the keyboard, so it is also easy to crack.
2. View the [Environment Information] tab page, you can see the current security package version;
3. In the [Security Summary] tab page, you can see the security Whether the package is valid;
4. If it is displayed as not open, click [Detect] in [Safety Check], after the detection, the [Repair] button will pop up, click [Repair];
5. After the repair is completed, the specific repair steps will pop up (main Just replace the file), just follow the repair steps.
6. If it is still not open after repairing according to the above 5 steps, please click [Open] in the first item of the [Security Opening Details] tab page.
Resin1.x+Ecology5.0 and above
1. The parameters of SQL statements that directly transmit dangerous characters (such as count(, substr(, etc)) may be intercepted by the security package;
2. For customers who upgrade from 5.0/6.0/7.0 to 8.0, if the secondary development page uses GBK encoding to transmit data, then Chinese may not be available;
3. For 5.0/6.0/7.0 customers, if the secondary development page uses UTF-8 encoding to transmit data, garbled characters may appear when obtaining Chinese through getParameter.
1. You can add a node similar to the following below the <root> node in ecology/WEB-INF/securityXML/weaver_security_custom_rules_1.xml (regular expressions can be used in the url, or a directory can be configured): In
this way, the parameters of this page will be No security check will be performed.
<excepts>
<url>/keygenerator/KeyGeneratorOperation.jsp</url>
<url>/keygenerator/KeyGeneratorOriginalOperation.jsp</url>
</excepts>
2. You can add a node similar to the following below the <root> node in ecology/WEB-INF/securityXML/weaver_security_custom_rules_1.xml (regular expressions can be used in the URL, or a directory can be configured): In
this way, the parameters of this page will be Will be received in GBK code.
<dev-list>
<special>
<encoding>GBK</encoding>
<paths>
<path>/hrm/performance/[a-zA-Z0-9]\.jsp</path>
<path>/hrm/performance/checkScheme/</path>
</paths>
</special>
</dev-list>
3. You can add a node similar to the following below the <root> node in ecology/WEB-INF/securityXML/weaver_security_custom_rules_1.xml (regular expressions can be used in the URL, or a directory can be configured): In
this way, the parameters of this page will be Will be received in UTF-8 encoding.
<dev-list>
<special>
<encoding>UTF-8</encoding>
<paths>
<path>/messager/</path>
<path>/newportal/contactssearch.jsp/</path>
</paths>
</special>
</dev-list>
You can add a node similar to the following below the <root> node in ecology/WEB-INF/securityXML/weaver_security_custom_rules_1.xml (IP can specify a certain network segment or specific IP): In
this way, these IPs can access webservice normally Up.
<webservice-ip-list>
<ip>80.16.</ip>
</webservice-ip-list>
162、Fix the printing failure issue of E9 asset module
157、Fixed issues with form modeling and group save failures.
158、Fix the issue where E8 version process testing cannot be used.
145、Add general safety protection rules.
142、Fix functional bugs.
143、Based on the 10.58.7 patch package, it is mainly aimed at customers who have already upgraded to the 10.58.7 patch and can directly use this patch package, reducing the size of the patch package and reducing file updates.
131. Fix XXE injection vulnerability
>Upgrade commons fileupload to version 1.5.0
>Upgrade dubbo to version 2.7.22
>Increase global protection against arbitrary command execution vulnerabilities
(special note: the E9 system upgrades the v10.52 patch package. After the upgrade is completed and the test is passed, you need to log in with an administrator and visit /mobilemode/admin/genstaticpageall.jsp for data initialization to avoid exceptions in the mobile modeling page.)
(special note: the E9 system upgrades the v10.50 patch package. After the upgrade is completed and the test is passed, you need to log in with an administrator and visit /mobilemode/admin/genstaticpageall.jsp for data initialization to avoid exceptions in the mobile modeling page.)
(special note: the E9 system upgrades the v10.49 patch package. After the upgrade is completed and the test is passed, you need to log in with an administrator and visit /mobilemode/admin/genstaticpageall.jsp for data initialization to avoid exceptions in the mobile modeling page.)
112、fix rasp bugs.
95、solve some other bugs.
85. Fix the issue of permission transfer errors after users upgrade to the old version of E8. The problem.
83. Security patch package performance optimization
80, jackson is upgraded to version 2.10.5
77, fix the problem of submitting errors in the mobile terminal process
78, fix some security risks
77, security patch package performance optimization
78, fix some security risks
71. Fix the problem of abnormal paging control and personnel export caused by the security patch.
68. Fix some newly discovered security issues and improve the security rule base rules.
66. Fix some newly discovered security issues and improve the security rule base rules.
62. Fix the abnormal display of custom reports after upgrading the V10.19 security patch.
Confirm the affected version: The
database version is the following version is affected: SQLSERVER2012 and above
32. Fixed some newly discovered vulnerabilities.
30. Expanded the scalability function of the security package.
fixed a vulnerability in the critical level after logging in.
26. Improved the rule base;
27. Fixed known security vulnerabilities.
optimized security patch performance
23. Improved the rule base;
24. Added the function of automatic security package upgrade.
25. The function of requesting frequency limit is added, which can effectively solve the problem of brute force cracking.
21. Improved the rule base and added webserivce intranet access verification;
22. Strengthened the security patch package to prevent security bypass in some cases
20. Improved the rule base and enabled the login verification function by default;
16. Further improved the file upload security check.
16. Improved the rule library and added strict verification of the input format of the page parameters before login;
17. Improved the security verification support on
the mobile phone ; 18. Fixed the failure of some Chinese login names on the mobile phone Login bug;
19. Added changes to jsp and class executable files, and checked at 3 o'clock every morning by default.
1. Added support for weblogic;
2. Added support for login authentication.
15. Improved the rule base and added strict verification of the input format of the page parameters before login.
12. Improved the rule base and enhanced the defense against cross-site attacks and SQL injection vulnerabilities.
fixed some hidden bugs.
12. cookie+ip binding mechanism.
2. Solve high-risk SQL injection attacks;
3. Prevent phishing risks;
4. Host forgery attacks;
5. Referer checking;
6.
Webservice whitelist mechanism; 7. HTTPonly mechanism of cookies;
8 , HTTP response splitting vulnerability;
9. Log file, database connection access permission control;
10. File upload security check.