Service Notices > Fastjson Remote DoS Vulnerability

Fastjson Remote DoS Vulnerability

Sep 06, 2019 GMT+08:00

I. Overview

The HUAWEI CLOUD security team has recently noticed that the remote denial of service (DoS) vulnerability exists in versions earlier than Fastjson 1.2.60. Fastjson fails to parse specific JSON character strings. An attacker can construct a request packet to initiate a remote DoS attack on servers that use the Fastjson. As a result, the CPU/RAM of the servers is overloaded, causing performance deterioration or server breakdown.

Reference link:

https://github.com/alibaba/fastjson/pull/2692

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Fastjson versions earlier than 1.2.60

or Fastjson sec versions earlier than sec06

Secure versions:

Fastjson 1.2.60 and later

or Fastjson sec06 and later

IV: Workarounds

Upgrade Fastjson to a secure version. Download address: http://repo1.maven.org/maven2/com/alibaba/fastjson/

HUAWEI CLOUD WAF can detect this vulnerability by default. You can enable the mode of basic web protection to implement defense. For details about the configuration, see

https://support.huaweicloud.com/en-us/usermanual-waf/waf_01_0008.html

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.