1. 漏洞描述

TestNG is a testing framework inspired from JUnit and NUnit but introducing some new functionality that make it more powerful and easier to use, such as: * Annotations. * Run your tests in arbitrarily big thread pools with various policies available (all methods in their own thread, one thread per test class, etc...). * Test that your code is multithread safe. * Flexible test configuration. * Support for data-driven testing (with @DataProvider). * Support for parameters. * Powerful execution model (no more TestSuite). * Supported by a variety of tools and plug-ins (Eclipse, IDEA, Maven, etc...). * Embeds BeanShell for further flexibility. * Default JDK functions for runtime and logging (no dependencies). * Dependent methods for application server testing.

Security Fix(es):

A vulnerability was found in cbeust testng 7.5.0/7.6.0/7.6.1/7.7.0. It has been declared as critical. Affected by this vulnerability is the function testngXmlExistsInJar of the file testng-core/src/main/java/org/testng/JarFileUtils.java of the component XML File Parser. The manipulation leads to path traversal. The attack can be launched remotely. Upgrading to version 7.5.1 and 7.7.1 is able to address this issue. The patch is named 9150736cd2c123a6a3b60e6193630859f9f0422b. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-214027.(CVE-2022-4065)

2. 影响范围

3. 影响组件

4. 修复版本

5. 修复方法

方法一：下载安装包进行升级安装
1、通过下载链接下载需要升级的升级包保存，如 xxx.rpm
2、通过rpm命令升级，如 rpm -Uvh xxx.rpm

方法二：通过软件源进行升级安装
1、保持能够连接上互联网
2、通过yum命令升级指定的包，如 yum install 包名

6. 下载链接

KY3.5.1:

x86_64:

     testng-javadoc   

     testng   

aarch64:

     testng-javadoc   

     testng   

KY3.4-4A:

x86_64:

     testng-javadoc   

     testng   

aarch64:

     testng-javadoc   

     testng   

KY3.4-5A:

x86_64:

     testng   

     testng-javadoc   

aarch64:

     testng   

     testng-javadoc   

KY3.5.2:

x86_64:

     testng   

     testng-javadoc   

aarch64:

     testng   

     testng-javadoc