EC9.0 Full Patch
Official version:10.62    Operating environment:Windows/Linux
Updated:2024-05-14
Incremental patch based on 10.56 (EC9.0)
Official version:10.62    Operating environment:Windows/Linux
Updated:2024-05-14
EC8.0 Full Patch
Official version:10.62    Operating environment:Windows/Linux
Updated:2024-05-14
Incremental patch based on 10.56 (EC8.0)
Official version:10.62    Operating environment:Windows/Linux
Updated:2024-05-14
Incremental patch based on 10.62 (EC9.0)
Official version:10.62    Operating environment:Windows/Linux
Updated:2024-05-14
Incremental patch based on 10.62 (EC8.0)
Official version:10.62    Operating environment:Windows/Linux
Updated:2024-05-14
Security patches for EC7.0 and below
Official version: 6.50 Operating environment: Windows/Linux
Updated: 2022-05-25
MD5:C6A8FADDA3E38A412C2C22C19D229EC5
RASP INSTALL PACKAGE
Official version:2.0.5    Operating environment:Windows/Linux
Updated:2022-11-07
MD5:5ed111a3da49a83f5ec6b4a729bad951
RASP INSTALL Document
Official version:2.0.5
Updated:2022-08-22
MD5:c65ba5d7dee18a564a2802334ed538fe
RASP Upgrade Package
Official version:2.0.5    Operating environment:Windows/Linux
Updated:2022-11-07
MD5:b218226ca46e02ba7008b40de8b49e62
RASP Upgrade Document
Official version:2.0.4
Updated:2022-08-22
MD5:83a9b9bd632dfe8995c28834ba6f748c
ECOLOGY Security Patch Configuration Instructions
 
Updated: 2019-08-29
System operation safety recommendations
 
Updated: 2019-02-27
Description
*
Tips:
Please regularly change your password (including various product lines such as Emobile management backend, Technology account, Cloud Bridge management backend, Emessage management backend, Operations platform, etc.), and ensure that the password is a complex password. The requirements for complex passwords are:
a. A length of at least 13 digits or more< Br> b. Contains both uppercase and lowercase letters, numbers, and special characters< Br> c. There is no obvious input pattern on the keyboard, such as: 1qaz@wsx For example, this password may seem like a strong password, but there are obvious input patterns on the keyboard, so it is also easy to crack.
*
Note:
E9 system upgrades v10.52 patch package. After the upgrade is completed and the test is passed, you need to use the administrator to log in and visit /mobilemode/admin/genstaticpageall.jsp for data initialization to avoid exceptions in the mobile modeling page.
0
Check whether the security package is valid and how to fix it
1. Log in to the system with sysadmin and visit: /security/monitor/Monitor.jsp;
2. View the [Environment Information] tab page, you can see the current security package version;
3. In the [Security Summary] tab page, you can see the security Whether the package is valid;
4. If it is displayed as not open, click [Detect] in [Safety Check], after the detection, the [Repair] button will pop up, click [Repair];
5. After the repair is completed, the specific repair steps will pop up (main Just replace the file), just follow the repair steps.
6. If it is still not open after repairing according to the above 5 steps, please click [Open] in the first item of the [Security Opening Details] tab page.
1
Please download [ECOLOGY Security Patch] and [ECOLOGY Security Patch Configuration Instructions] first, and deploy and upgrade according to the [Ecology System Security Installation Instructions] file in [ECOLOGY Security Patch Configuration Instructions].
2
If it is the first time to install a security patch package, there is no weaver_security_config.xml file in the WEB-INF/ directory, you can restart the service first, and the weaver_security_config.xml file will be automatically generated.
3
If there is a KB patch package to upgrade the system or a major version upgrade, it is recommended to download the latest security patch package from this page and re-overwrite it.
3
The ECOLOGY security patch package can be adapted to the following versions of ECOLOGY

Resin1.x+Ecology5.0 and above

4
If your e-cology is running in the WEBLOGIC environment, you can also apply this security patch directly.
5
If the system has done a lot of secondary development, to be on the safe side, it is recommended to apply the security patch package to the production environment first, but delay the activation of the security patch package (it can solve some serious problems without configuration, such as unauthorized access to sensitive information, etc.). But it will not affect system functions) . In the test environment, test the commonly used functions, especially the secondary development functions, and then formally enable the security package function in the production environment.
6
For customers with secondary development, the possible impact and solutions after applying this security patch package

1. The parameters of SQL statements that directly transmit dangerous characters (such as count(, substr(, etc)) may be intercepted by the security package;

2. For customers who upgrade from 5.0/6.0/7.0 to 8.0, if the secondary development page uses GBK encoding to transmit data, then Chinese may not be available;

3. For 5.0/6.0/7.0 customers, if the secondary development page uses UTF-8 encoding to transmit data, garbled characters may appear when obtaining Chinese through getParameter.

Solutions to the above problems (for specific configuration, please refer to the relevant chapter description in "Ecology System Safety Configuration Instructions.docx")

1. You can add a node similar to the following below the <root> node in ecology/WEB-INF/securityXML/weaver_security_custom_rules_1.xml (regular expressions can be used in the url, or a directory can be configured): In this way, the parameters of this page will be No security check will be performed.
<excepts>
<url>/keygenerator/KeyGeneratorOperation.jsp</url>
<url>/keygenerator/KeyGeneratorOriginalOperation.jsp</url>
</excepts>

2. You can add a node similar to the following below the <root> node in ecology/WEB-INF/securityXML/weaver_security_custom_rules_1.xml (regular expressions can be used in the URL, or a directory can be configured): In this way, the parameters of this page will be Will be received in GBK code.
<dev-list>
<special>
<encoding>GBK</encoding>
<paths>
<path>/hrm/performance/[a-zA-Z0-9]\.jsp</path>
<path>/hrm/performance/checkScheme/</path>
</paths>
</special>
</dev-list>

3. You can add a node similar to the following below the <root> node in ecology/WEB-INF/securityXML/weaver_security_custom_rules_1.xml (regular expressions can be used in the URL, or a directory can be configured): In this way, the parameters of this page will be Will be received in UTF-8 encoding.
<dev-list>
<special>
<encoding>UTF-8</encoding>
<paths>
<path>/messager/</path>
<path>/newportal/contactssearch.jsp/</path>
</paths>
</special>
</dev-list>

7
If the system has done a lot of secondary development, please be sure to read the "Ecology System Safety Configuration Instructions.docx" carefully, and grasp that when the secondary development function is affected, quickly solve the problem through configuration.
8
When the xml file related to the security rules is modified (please use Editplus, Notepad++, Ultra and other editors to edit, do not use Notepad, WordPad and other tools to edit.) , after the modification is completed, you do not need to restart Resin, please use system management Log in to the system, and then visit: http://oa address/updateRules.jsp (such as: http://e8.e-cology.com.cn/updateRules.jsp) to make the newly modified rule base file effective immediately. If it is a cluster environment, please execute the following jsp on each node.
9
After updating the security patch package, if you find that http://oa address/services/ cannot be accessed, please refer to the following steps to add an exception: add the IP that needs to call the WEBSERVICE to the whitelist

You can add a node similar to the following below the <root> node in ecology/WEB-INF/securityXML/weaver_security_custom_rules_1.xml (IP can specify a certain network segment or specific IP): In this way, these IPs can access webservice normally Up.
<webservice-ip-list>
<ip>80.16.</ip>
</webservice-ip-list>

Update log
2024-05-14(v10.62)
146、Fix security vulnerabilities.
2024-04-15(v10.61)
144、Fix security vulnerabilities.
145、Add general safety protection rules.
2024-02-22(v10.60)
143、Fix security vulnerabilities.
2023-12-18(v10.59)
141、Fix security vulnerabilities.
142、Fix functional bugs.
143、Based on the 10.58.7 patch package, it is mainly aimed at customers who have already upgraded to the 10.58.7 patch and can directly use this patch package, reducing the size of the patch package and reducing file updates.
2023-08-21(v10.58.7)
140、Fix security vulnerabilities.
2023-08-16(v10.58.6)
138、Fix security vulnerabilities. 139、Fix the issue of slow personnel card synchronization between EM7 and Cloud Bridge
2023-08-14(v10.58.5)
135、Fix security vulnerabilities.
2023-08-10(v10.58.4)
134、Fix security vulnerabilities.
2023-07-25(v10.58.3)
133、Fix security vulnerabilities.
2023-07-13(v10.58.2)
132、Fix security vulnerabilities.
2023-07-11(v10.58.1)
130. Optimize performance
131. Fix XXE injection vulnerability
2023-07-07(v10.58.0)
129、Fix newly discovered security vulnerabilities (XXE injection vulnerability)
2023-05-15(v10.57.2)
128、After repairing and upgrading the 10.57 patch pack, some environments experienced database connection leaks.
2023-05-15(v10.57.1)
127、Fix the issue of docx file preview failure after upgrading to patch 10.57.
2023-04-19(v10.57)
126、Fix the issue of dynamic password function failure after upgrading to patch 10.57.
2023-04-13(v10.57)
125. Fix newly discovered security vulnerabilities
>Upgrade commons fileupload to version 1.5.0
>Upgrade dubbo to version 2.7.22
>Increase global protection against arbitrary command execution vulnerabilities
2023-02-15(v10.56)
124、The original《Security patch for EC8.0 or above》 is divided into 《Patch for EC9.0》 and 《Patch for EC8.0》. The reason is that the jar package for this patch update conflicts with version 8.0 and version 9.0, so it has to be split into two packages for upgrade. Please select the appropriate package upgrade according to your version.
2023-02-13(v10.56)
122、Fix the newly discovered security vulnerability (Note: the incremental security patch based on v10.45 means that if you have manually upgraded the security patch of v10.45 or above, you can directly download this patch for upgrading)
2022-11-07(raspV2.0.5)
121、Performance optimization of rasp protection module
2022-10-14(v10.55)
121、Fix the newly discovered security vulnerability (Note: the incremental security patch based on v10.45 means that if you have manually upgraded the security patch of v10.45 or above, you can directly download this patch for upgrading)
2022-08-22(raspV2.0.4)
120、Performance optimization of rasp protection module
2022-08-15(v10.54)
119、Optimize the system performance problems caused by 10.52 and above patches.
2022-08-05(v10.54)
118、Fix the newly discovered security vulnerability (Note: the incremental security patch based on v10.45 means that if you have manually upgraded the security patch of v10.45 or above, you can directly download this patch for upgrading)
2022-08-04(v10.53)
117、Fix the newly discovered security vulnerability (Note: the incremental security patch based on v10.45 means that if you have manually upgraded the security patch of v10.45 or above, you can directly download this patch for upgrading)
2022-07-31(v10.52)
116、Fix the newly discovered security vulnerability (Note: the incremental security patch based on v10.45 means that if you have manually upgraded the security patch of v10.45 or above, you can directly download this patch for upgrading)
(special note: the E9 system upgrades the v10.52 patch package. After the upgrade is completed and the test is passed, you need to log in with an administrator and visit /mobilemode/admin/genstaticpageall.jsp for data initialization to avoid exceptions in the mobile modeling page.)
2022-07-28(v10.50)
115、Fix the newly discovered security vulnerability (Note: the incremental security patch based on v10.45 means that if you have manually upgraded the security patch of v10.45 or above, you can directly download this patch for upgrading)
(special note: the E9 system upgrades the v10.50 patch package. After the upgrade is completed and the test is passed, you need to log in with an administrator and visit /mobilemode/admin/genstaticpageall.jsp for data initialization to avoid exceptions in the mobile modeling page.)
2022-07-27(v10.49)
114、Fix the abnormal editing of background office template after upgrading the security patch package.
2022-07-26(v10.49)
113、Fix the newly discovered security vulnerability (Note: the incremental security patch based on v10.45 means that if you have manually upgraded the security patch of v10.45 or above, you can directly download this patch for upgrading)
(special note: the E9 system upgrades the v10.49 patch package. After the upgrade is completed and the test is passed, you need to log in with an administrator and visit /mobilemode/admin/genstaticpageall.jsp for data initialization to avoid exceptions in the mobile modeling page.)
2022-07-16(v10.48)
111、Fix the problem that the integrated user-defined interface cannot be used in the extranet environment caused by the security patch released on July 7 (Note: the incremental security patch based on v10.45 means that if you have manually upgraded the security patch of v10.45 and above, you can directly download this patch for upgrading)
112、fix rasp bugs.
2022-07-11(v10.47)
110、Fix the problem that the integrated user-defined interface cannot be used in the extranet environment caused by the security patch released on July 7 (Note: the incremental security patch based on v10.45 means that if you have manually upgraded the security patch of v10.45 and above, you can directly download this patch for upgrading)
2022-07-07(v10.47)
108、Fix the newly discovered security vulnerability (Note: the incremental security patch based on v10.45 means that if you have manually upgraded the security patch of v10.45 or above, you can directly download this patch for upgrading)
2022-06-18(v10.46)
108、Fix the newly discovered security vulnerability (Note: the incremental security patch based on v10.45 means that if you have manually upgraded the security patch of v10.45, you can directly download this patch for upgrading)
2022-05-25
52. Upgrade fastjson to version 1.2.83 to solve the problem of code execution vulnerabilities
2022-03-22(v10.45)
106、Fix the failure of SQL attribute linkage configuration.
2022-03-19(v6.49/v10.44)
105、Fix any file upload vulnerability and upgrade xstream.jar to1.4.19 version。
2021-12-26(v6.49/v10.43)
104、Fix the bug of any URL jump verification rule, which may intercept some normal jump requests by mistake. and fix security vul.
2021-08-24(v6.48/v10.42)
103、upgrade xstream.jar to1.4.18 version。
2021-07-21(v6.47/v10.41)
102、fix bug when update security package to 10.41.
2021-07-21(v6.47/v10.41)
101、Solve new security issues(Logic Bug for Cloudstore)
2021-06-23(v6.47/v10.40)
100、Solve new security issues
2021-05-18(v6.46/v10.39)
99、Update Xstream.jar to version 1.4.17
2021-04-22(v6.45/v10.38)
98、Fix any file upload vulnerability after administrator login
2021-04-22(v6.42/v10.35)
97、Solve some bug causedBy securityPackage.
2021-04-20(v6.44/v10.37)
96、Fix any file upload vulnerability after administrator login
2021-04-17(v6.43/v10.36)
94、upgrade jackson and fastjson to latest version.
95、solve some other bugs.
2021-04-16(v6.42/v10.35)
92、Solve some bug causedBy securityPackage.
2021-04-13(v6.42/v10.35)
92、Solve some bug causedBy securityPackage.
2021-04-12(v6.42/v10.35)
91、Solve some bug causedBy securityPackage.
2021-04-11(v6.42/v10.35)
90、Solve new security issues.
2021-04-09(v6.41/v10.34)
89、Solve new security issues
2021-03-17
88、Update Xstream.jar to version 1.4.16
2020-12-15
87、Update Xstream.jar to version 1.4.15
2020-12-07
86. Ecology product security update, repairing a security hole in E8 version (security package is encrypted, please consult Fanwei customer service staff or project staff for the decompression password)
2020-11-26
84. Fix bugs caused by security issues, including cluster out of sync, garbled lines in emails, abnormal portal titles, occasional Chinese garbled characters, and abnormal PDF online previews.
85. Fix the issue of permission transfer errors after users upgrade to the old version of E8. The problem.
2020-11-17
82. Ecology product security update (security package is encrypted, please consult Fanwei customer service staff or project personnel for the decompression password)
83. Security patch package performance optimization
2020-09-07
81. Fix some hidden security hazards (the security package has been encrypted, please consult Fanwei customer service staff or project personnel for the decompression password)
2020-08-13
79, fastjson is upgraded to version 1.2.73
80, jackson is upgraded to version 2.10.5
2020-07-15
76, fastjson is upgraded to version 1.2.72
77, fix the problem of submitting errors in the mobile terminal process
78, fix some security risks
2020-05-11
76, fastjson upgrade to version 1.2.68
77, security patch package performance optimization
78, fix some security risks
2020-03-20
75, fastjson upgrade to version 1.2.67
2020-03-09
74, fastjson is upgraded to version 1.2.66, jackson-databind is upgraded to version 2.10.3
2020-02-24
73. Fix bugs caused by security patches and optimize the performance of security patches.
2019-11-29
72. Fix the problem that the mobile phone submission process is blocked and the report export function is abnormal due to the security patch.
2019-11-27
70. Fix the problem of non-authorization of form modeling caused by security patches.
71. Fix the problem of abnormal paging control and personnel export caused by the security patch.
2019-11-26
69. Fix the problem that the custom browse button cannot be displayed and the online preview function of the document is abnormal due to the security patch.
2019-11-04
67. Fix some bugs caused by the old version of the security patch package, such as the problem that the background process number cannot be saved.
68. Fix some newly discovered security issues and improve the security rule base rules.
2019-10-31
65. Fix some bugs caused by the old version of the security patch package, such as mobile Weibo exceptions.
66. Fix some newly discovered security issues and improve the security rule base rules.
2019-10-25
64. Fix the problem that the verification code cannot be displayed due to the security patch on October 24, 2019
2019-10-24
63. Fix the problem of leakage of ecology database information
2019-10-18
61. Fix the SQL injection problem of ecology released on October 18, 2019;
62. Fix the abnormal display of custom reports after upgrading the V10.19 security patch.
2019-10-17
60. Fix a security issue in ecology.
Confirm the affected version: The
database version is the following version is affected: SQLSERVER2012 and above
2019-10-10
59. Fix a security issue in ecology (security vulnerability number: CNVD-2019-34241, security bulletin number: CNTA-2019-0033)
2019-09-28
58. Fix a safety issue in ecology (E8/E9).
2019-09-20
57. Upgrade fastjson to version 1.2.61 and bsh components to solve possible remote code execution problems (this patch package contains ecology7/8/9 (ecology folder), EMobile6.6 and below, and cloud bridge upgrade patches , Please upgrade selectively according to your own products)
2019-09-17
56. Fix a safety issue in ecology.
2019-09-05
55. Upgrade fastjson to version 1.2.60 to solve the problem of denial of service vulnerability (this patch package contains ecology7/8/9 (ecology folder), EMobile6.6 and below, and cloud bridge upgrade patches, please follow your own product Selective upgrade of the situation)
2019-07-25
54. Repair unauthorized download of ecology.
2019-07-18
53. Fix the loopholes in the unauthorized download of ecology and unauthorized upload of files, and the XFF harm problem.
2019-06-25
52. Upgrade fastjson to version 1.2.58 to solve the problem of code execution vulnerabilities (this patch package contains ecology7/8/9 (ecology folder), EMobile6.6 and below, and cloud bridge upgrade patches, please follow your own product Selective upgrade of the situation)
2019-04-10
51. Fix a CRLF vulnerability in ecology (CVE-2019-10272)
2019-04-03
50. Provide JDK upgrade to solve the problem of JDK deserialization
2019-04-02
49. Enhance the rule base and upgrade the jar package to prevent deserialization vulnerabilities.
2019-02-13
48. Increase the security check of file upload and fix some bugs.
2019-01-30
47. Enhance the rule base and fix some bugs.
2018-11-21
46. ​​Enhance the defense function of service.
2018-10-31
45. Enhanced the defense function of service.
2018-09-13
44. Fix some newly discovered security issues.
2018-08-23
43. Fix some newly discovered security issues.
2018-08-02
42. Fix some newly discovered security issues.
2018-03-23
41. Fixed the problem of parameter loss caused by request.getQueryString.
2018-03-22
40. Fix some newly discovered security issues.
2018-03-09
39. Fixed some newly discovered minor issues.
2018-03-02
38. Fix some bugs
2018-02-05
37. Fixed the issue that the latest mobile version was blocked by mistake due to referer violating the same-origin policy
2018-02-02
36. Fix some bugs
2018--01-24
35. Fixed some possible security issues.
2018-01-19
35. Fixed the problem that the forgot password function was blocked by mistake
2018--01-16
34. Fixed some functional problems caused by security patches (inquiry and comment forwarding errors).
2018-01-11
33. Fix the problem that the security package accidentally intercepts the client module and cannot log in after the security package is updated under the CAS integrated login.
2018--01-02
31. Fixed some functional problems caused by security patches;
32. Fixed some newly discovered vulnerabilities.
2017-11-16
29. Fixed newly discovered problems.
30. Expanded the scalability function of the security package.
2017-06-12
Fix the problem that the security package may cause the connection pool to crash.
2017-05-23
28. Added support for session timeout function.
2016-12-08
Fixed some hidden bugs;
fixed a vulnerability in the critical level after logging in.
2016-11-1
Fixed some hidden bugs;
26. Improved the rule base;
27. Fixed known security vulnerabilities.
2016-09-29
Fixed some hidden bugs;
optimized security patch performance
2016-09-18
Fixed some hidden bugs;
23. Improved the rule base;
24. Added the function of automatic security package upgrade.
25. The function of requesting frequency limit is added, which can effectively solve the problem of brute force cracking.
2016-05-27
Fixed some hidden bugs;
21. Improved the rule base and added webserivce intranet access verification;
22. Strengthened the security patch package to prevent security bypass in some cases
2016-03-18
Fixed some hidden bugs;
20. Improved the rule base and enabled the login verification function by default;
16. Further improved the file upload security check.
2015-12-17
Fixed some hidden bugs;
16. Improved the rule library and added strict verification of the input format of the page parameters before login;
17. Improved the security verification support on
the mobile phone ; 18. Fixed the failure of some Chinese login names on the mobile phone Login bug;
19. Added changes to jsp and class executable files, and checked at 3 o'clock every morning by default.
2015-11-24
Fixed some hidden bugs;
1. Added support for weblogic;
2. Added support for login authentication.
2015-11-18
Fixed some hidden bugs;
15. Improved the rule base and added strict verification of the input format of the page parameters before login.
2015-11-11
Fixed some hidden bugs;
12. Improved the rule base and enhanced the defense against cross-site attacks and SQL injection vulnerabilities.
2015-10-27
13. The function of temporarily blocking the attack source IP;
fixed some hidden bugs.
2015-10-20
11. ip whitelist mechanism;
12. cookie+ip binding mechanism.
2015-05-30
1. Solve XSS cross-domain attacks;
2. Solve high-risk SQL injection attacks;
3. Prevent phishing risks;
4. Host forgery attacks;
5. Referer checking;
6.
Webservice whitelist mechanism; 7. HTTPonly mechanism of cookies;
8 , HTTP response splitting vulnerability;
9. Log file, database connection access permission control;
10. File upload security check.
Copyright © 2001-2020 Weaver Network All Rights Reserved.