GeoScene Portal 4.1 Netty安全漏洞全面修复方案与操作步骤
Netty是Netty社区的一款非阻塞I/O客户端-服务器框架,它主要用于开发Java网络应用程序,如协议服务器和客户端等。由于GeoScene Portal 4.1使用了低版本的netty-codec-http2、netty-codec-http、opensearch-security\netty-codec-http等jar包,导致了该漏洞。需要把GeoScene Portal中的Open Search升级到3.3.0以上。该漏洞已经成功修复,升级后GeoScene Portal可以正常使用。
软件版本
GeoScene Portal版本:4.1
漏洞名称
Netty 拒绝服务漏洞(CVE-2025-55163)
Netty 环境问题漏洞(CVE-2025-58056)
漏洞描述
Netty 拒绝服务漏洞(CVE-2025-55163)
Netty存在安全漏洞,该漏洞源于HTTP/2协议逻辑缺陷,可能导致资源耗尽和分布式拒绝服务攻击。
Netty 环境问题漏洞(CVE-2025-58056)
Netty存在环境问题漏洞,该漏洞源于错误解析换行符,可能导致HTTP请求夹带攻击。
漏洞位置
D:\GeoScene\Portal\framework\runtime\ds\framework\runtime\opensearch\plugins\opensearch-ml\netty-codec-http2-4.1.118.Final.jar
D:\GeoScene\Portal\framework\runtime\ds\framework\runtime\opensearch\modules\transport-netty4\netty-codec-http-4.1.121.Final.jar
D:\GeoScene\Portal\framework\runtime\ds\framework\runtime\opensearch\plugins\opensearch-ml\netty-codec-http-4.1.118.Final.jar
D:\GeoScene\Portal\framework\runtime\ds\framework\runtime\opensearch\plugins\opensearch-security\netty-codec-http-4.1.121.Final.jar
D:\GeoScene\Portal\framework\runtime\ds\framework\runtime\opensearch\plugins\opensearch-notifications\netty-codec-http-4.1.124.Final.jar
修复漏洞需要将Netty 升级到 4.1.125.Final、4.2.5.Final 及以上版本。
解决方案
需要把 GeoScene Portal中的Open Search 升级到3.3.0以上。Open Search 3.3.0需要JDK 21,所以要先升级 GeoScene Portal中的JDK。由于升级非常容易导致GeoScene Portal服务无法启动。建议升级前做好备份。
操作步骤
1、停止GeoScene Portal服务。
2、安装JDK21。
3、重命名 D:\GeoScene\Portal\framework\runtime\jre 为 D:\GeoScene\Portal\framework\runtime\jre-old。
4、把 JDK 21安装目录复制到该文件夹,重命名 jdk-21 为 jre。
5、下载OpenSearch v3.3.0。下载地址:https://opensearch.org/artifacts/by-version/#release-3-3-0
6、把 D:\GeoScene\Portal\framework\runtime\ds\framework\runtime\opensearch 重命名为 D:\GeoScene\Portal\framework\runtime\ds\framework\runtime\opensearch-old。
7、解压下载的 opensearch-3.3.0-windows-x64.zip 到D:\GeoScene\Portal\framework\runtime\ds\framework\runtime文件夹。
8、由于GeoScene调用OpenSearch没有把opensearch\agent目录添加到CLASSPATH中,所以要把 opensearch\agent目录下的所有包复制到 opensearch\libs文件夹。
9、编辑文件GeoScene使用的OpenSearch配置文件:D:\geosceneportal\index\config\opensearch.yml,注释掉下面一行。
#compatibility.override_main_response_version : true10、编辑文件D:\geosceneportal\index\config\opensearch.yml,修改下面一行,关闭ssl校验。
plugins.security.disabled: true11、把 OpenSearch 升级到 v3.3.0后,opensearch\modules\transport-netty4 和 opensearch\plugins\opensearch-security 中的netty已经是4.1.125版本,无需修复。 opensearch\plugins\opensearch-ml中的netty是 4.1.124版本,需要升级到4.1.125。
12、对比 opensearch\modules\transport-netty4 中的 netty 包和 opensearch\plugins\opensearch-ml 中的 netty包,发现缺少 netty-transport-classes-epoll-4.1.125.Final.jar,可以在maven repository网站下载。
下载地址:https://mvnrepository.com/artifact/io.netty/netty-transport-classes-epoll/4.1.125.Final
13、把 opensearch\plugins\opensearch-ml 中4.1.124版本的netty包对应替换成opensearch\modules\transport-netty4中的4.1.125中的包。不要删除里面的netty-nio-client-2.32.29.jar。netty-transport-classes-epoll-4.1.125.Final.jar是上一步新下载的包。
14、把 opensearch\plugins\opensearch-notifications 中4.1.124版本的netty包对应替换成opensearch\modules\transport-netty4中的4.1.125中的包。
15、启动GeoScene Portal服务(启动时间可能比较长,要有耐心)。如果长时间无法启动,可以在 D:\GeoScene\Portal\framework\runtime\ds\usr\logs\GIS域名\opensearchlog 文件夹查看OpenSearch日志。
重要目录和文件
GeoScene Portal自带jre文件夹(原来是JDK11):D:\GeoScene\Portal\framework\runtime\jre
GeoScene Portal自带OpenSearch文件夹:D:\GeoScene\Portal\framework\runtime\ds\framework\runtime\opensearch
GeoScene Portal OpenSearch日志文件夹:D:\GeoScene\Portal\framework\runtime\ds\usr\logs\GIS域名\opensearchlog
GoeScene Portal OpenSearch配置文件:D:\geosceneportal\index\config\opensearch.yml
OpenSearch启动参数
GeoScene Portal调用OpenSearch命令行
opensearch -d -p "D:\GeoScene\Portal\framework\etc\pids\opensearch.pid" GeoScene Portal调用OpenSearch环境变量
checkpassword=Y
COMSPEC=C:\Windows\SYSTEM32\cmd.exe
JAVA_HOME=D:\GeoScene\Portal\framework\runtime\jre
OPENSEARCH_JAVA_OPTS=-Dlog4j2.disable.jmx=true -Djava.io.tmpdir=D:/geosceneportal/dsdata/temp
OPENSEARCH_PATH_CONF=D:/geosceneportal/index/config
OPENSEARCH_TMPDIR=D:/geosceneportal/dsdata/temp
params='-d -p "D:\GeoScene\Portal\framework\etc\pids\opensearch.pid"'
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC
PROMPT=$P$G
SystemRoot=C:\Windows
TEMP=D:/geosceneportal/dsdata/temp常见问题
1、OpenSearch requires Java 21; your Java version from [D:\GeoScene\Portal\framework\runtime\jre] does not meet this requirement。
解决方法:OpenSearch v3.3.0需要Java 21。安装JDK21,重命名 D:\GeoScene\Portal\framework\runtime\jre 为 D:\GeoScene\Portal\framework\runtime\jre-old,把 JDK 21安装目录复制到该文件夹,重命名 jdk-21 为 jre。
2、OpenSearch升级到v3.3.0报错:java.lang.NoClassDefFoundError: org/opensearch/javaagent/bootstrap/AgentPolicy$AnyCanExit。
完整错误:
fatal error in thread [main], exiting
java.lang.NoClassDefFoundError: org/opensearch/javaagent/bootstrap/AgentPolicy$AnyCanExit
at org.opensearch.bootstrap.Security.configure(Security.java:163)
at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:244)
at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:411)
at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:168)
at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:159)
at org.opensearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:110)
at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
at org.opensearch.cli.Command.main(Command.java:101)
at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:125)
at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:91)
Caused by: java.lang.ClassNotFoundException: org.opensearch.javaagent.bootstrap.AgentPolicy$AnyCanExit
at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:641)
at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:526)
... 10 more解决方法:由于GeoScene调用OpenSearch没有把opensearch\agent目录添加到CLASSPATH中,所以要把 opensearch\agent目录下的所有包复制到 opensearch\libs目录。
3、SettingsException[unknown setting [compatibility.override_main_response_version] please check that any required plugins are installed, or check the breaking changes documentation for removed settings]
完整错误:
[2025-10-20T17:36:05,858][ERROR][o.o.b.Bootstrap ] [GIS域名] Exception
org.opensearch.common.settings.SettingsException: unknown setting [compatibility.override_main_response_version] please check that any required plugins are installed, or check the breaking changes documentation for removed settings
at org.opensearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:606) ~[opensearch-3.3.0.jar:3.3.0]
at org.opensearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:547) ~[opensearch-3.3.0.jar:3.3.0]
at org.opensearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:517) ~[opensearch-3.3.0.jar:3.3.0]
at org.opensearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:487) ~[opensearch-3.3.0.jar:3.3.0]
at org.opensearch.common.settings.SettingsModule.<init>(SettingsModule.java:178) ~[opensearch-3.3.0.jar:3.3.0]
at org.opensearch.node.Node.<init>(Node.java:666) ~[opensearch-3.3.0.jar:3.3.0]
at org.opensearch.node.Node.<init>(Node.java:483) ~[opensearch-3.3.0.jar:3.3.0]
at org.opensearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:249) ~[opensearch-3.3.0.jar:3.3.0]
at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:249) ~[opensearch-3.3.0.jar:3.3.0]
at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:411) [opensearch-3.3.0.jar:3.3.0]
at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:168) [opensearch-3.3.0.jar:3.3.0]
at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:159) [opensearch-3.3.0.jar:3.3.0]
at org.opensearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:110) [opensearch-3.3.0.jar:3.3.0]
at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) [opensearch-cli-3.3.0.jar:3.3.0]
at org.opensearch.cli.Command.main(Command.java:101) [opensearch-cli-3.3.0.jar:3.3.0]
at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:125) [opensearch-3.3.0.jar:3.3.0]
at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:91) [opensearch-3.3.0.jar:3.3.0]
[2025-10-20T17:36:05,870][ERROR][o.o.b.OpenSearchUncaughtExceptionHandler] [GIS域名] uncaught exception in thread [main]
org.opensearch.bootstrap.StartupException: SettingsException[unknown setting [compatibility.override_main_response_version] please check that any required plugins are installed, or check the breaking changes documentation for removed settings]
at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:172) ~[opensearch-3.3.0.jar:3.3.0]
at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:159) ~[opensearch-3.3.0.jar:3.3.0]
at org.opensearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:110) ~[opensearch-3.3.0.jar:3.3.0]
at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) ~[opensearch-cli-3.3.0.jar:3.3.0]
at org.opensearch.cli.Command.main(Command.java:101) ~[opensearch-cli-3.3.0.jar:3.3.0]
at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:125) ~[opensearch-3.3.0.jar:3.3.0]
at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:91) ~[opensearch-3.3.0.jar:3.3.0]
Caused by: org.opensearch.common.settings.SettingsException: unknown setting [compatibility.override_main_response_version] please check that any required plugins are installed, or check the breaking changes documentation for removed settings
at org.opensearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:606) ~[opensearch-3.3.0.jar:3.3.0]
at org.opensearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:547) ~[opensearch-3.3.0.jar:3.3.0]
at org.opensearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:517) ~[opensearch-3.3.0.jar:3.3.0]
at org.opensearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:487) ~[opensearch-3.3.0.jar:3.3.0]
at org.opensearch.common.settings.SettingsModule.<init>(SettingsModule.java:178) ~[opensearch-3.3.0.jar:3.3.0]
at org.opensearch.node.Node.<init>(Node.java:666) ~[opensearch-3.3.0.jar:3.3.0]
at org.opensearch.node.Node.<init>(Node.java:483) ~[opensearch-3.3.0.jar:3.3.0]
at org.opensearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:249) ~[opensearch-3.3.0.jar:3.3.0]
at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:249) ~[opensearch-3.3.0.jar:3.3.0]
at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:411) ~[opensearch-3.3.0.jar:3.3.0]
at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:168) ~[opensearch-3.3.0.jar:3.3.0]
... 6 more
解决方法:编辑文件GeoScene使用的OpenSearch配置文件:D:\geosceneportal\index\config\opensearch.yml,注释掉下面一行配置。
#compatibility.override_main_response_version : true4、如何获得GeoScene Portal调用OpenSearch时使用的环境变量和命令行。
GeoScene Portal调用OpenSearch执行了这个文件:D:\GeoScene\Portal\framework\runtime\ds\framework\runtime\opensearch\bin\opensearch.bat,编辑这个文件增加以下两行。
set > D:\GeoScene\Portal\framework\runtime\ds\framework\runtime\opensearch\logs\env.txt
echo %* >> D:\GeoScene\Portal\framework\runtime\ds\framework\runtime\opensearch\logs\parameters.txt重启GeoScene Portal服务,等服务启动成功,env.txt是环境变量,parameters.txt是命令行参数。参考上面OpenSearch启动参数。
5、OpenSearch启动报错:Default endpoint could not be created, auditlog will not work properly. OpenSearch Security not initialized. (you may need to run securityadmin)。
解决方案:编辑文件GeoScene使用的OpenSearch配置文件:D:\geosceneportal\index\config\opensearch.yml,注释掉下面一行。
#compatibility.override_main_response_version : true