契约锁在自身具备主动热更新Patch的能力下 - 6月10日更新了安全补丁 - 随后在11日,大量厂商发布了漏洞预警,阿里云也更新了WAF规则,并说明该漏洞影响范围较大。 - 在11日至12日期间,我们还观测到大量POC扫描流量。 本次调研主要关注补丁更新的及时性(如是否存在甲方禁止主动更新、更新失败、私有版本不适用等情况)。因此,进行了简单的数据调研,结果相对有趣,也能够反映当前的安全现状。
如:0.09%甲方针对存在风险的接口或获取安全版本的接口,主动进行了WAF拦截,这是否能够反映其安全性?
版本现状
| 1.3.5 |
73.08% |
| 2.1.5 |
18.47% |
| 1.0.6 |
0.91% |
| 1.2.2 |
0.77% |
| 2.0.0 |
0.77% |
| 1.1.1 |
0.67% |
| 1.2.3 |
0.67% |
| 2.0.6 |
0.53% |
| 1.3.3 |
0.53% |
| 1.3.2 |
0.53% |
| 1.1.2 |
0.48% |
| 1.2.0 |
0.29% |
| 2.1.1 |
0.24% |
| 1.0.1 |
0.24% |
| 2.1.2 |
0.24% |
| 1.3.0 |
0.19% |
| 1.0.4 |
0.19% |
| 2.0.7 |
0.19% |
| 1.2.1 |
0.14% |
| 2.1.3 |
0.14% |
| 1.0.2 |
0.14% |
| 2.1.0 |
0.14% |
| 1.3.1 |
0.10% |
| 1.3.4 |
0.10% |
| 1.0.7 |
0.05% |
| 1.0.3 |
0.05% |
| 2.1.4 |
0.05% |
| 2.0.2 |
0.05% |
| 1.1.0 |
0.05% |
接口status_code分布
| 302 |
53.48% |
| 403 |
29.26% |
| 200 |
6.82% |
| 301 |
4.92% |
| 404 |
2.93% |
| 500 |
1.05% |
| 400 |
0.65% |
| 502 |
0.28% |
| 308 |
0.11% |
| 418 |
0.11% |
| 405 |
0.09% |
| 503 |
0.09% |
| 307 |
0.06% |
| 567 |
0.06% |
| 483 |
0.03% |
| 412 |
0.03% |
| 468 |
0.03% |
status_code == 200 版本分布
| 1.0.6 |
13.95% |
| 2.0.0 |
12.40% |
| 1.1.1 |
10.85% |
| 2.0.6 |
8.53% |
| 1.2.2 |
8.53% |
| 1.1.2 |
7.75% |
| 1.0.1 |
3.88% |
| 2.1.2 |
3.88% |
| 2.1.5 |
3.10% |
| 2.1.1 |
3.10% |
| 1.0.4 |
3.10% |
| 2.0.7 |
3.10% |
| 1.3.3 |
2.33% |
| 1.0.2 |
2.33% |
| 2.1.0 |
2.33% |
| 1.3.1 |
1.55% |
| 1.3.0 |
1.55% |
| 1.2.3 |
1.55% |
| 1.2.0 |
0.78% |
| 1.3.5 |
0.78% |
| 1.0.7 |
0.78% |
| 1.0.3 |
0.78% |
| 2.1.4 |
0.78% |
| 2.0.2 |
0.78% |
| 1.2.1 |
0.78% |
| 1.1.0 |
0.78% |
