Service Notices > Remote Code Execution Vulnerability in Fastjson 1.2.68 and Earlier Versions

Remote Code Execution Vulnerability in Fastjson 1.2.68 and Earlier Versions

May 30, 2020 GMT+08:00

I. Overview

It has recently been disclosed that a high-risk vulnerability exists in Fastjson 1.2.68 and earlier versions. This vulnerability can bypass the autoType switch to implement deserialization remote code execution and obtain server access permissions.

If you are a Fastjson user, check your system and implement timely security hardening.

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected Versions:

Fastjson 1.2.68 and earlier versions

Secure Version:

Fastjson later than 1.2.68

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official release. If your version is affected, upgrade it to the secure version.

Download linkhttps://github.com/alibaba/fastjson/releases

Workarounds:

Fastjson 1.2.68 introduces the safeMode configuration. You can upgrade to version 1.2.68 and then configure the safeMode to defend against attacks. After safeMode is configured, autoType is not supported regardless of the whitelist and blacklist. Before configuring the safeMode, evaluate the impact on services. The following three methods are available for configuring safeMode:

1. Use the following code for configuration:

ParserConfig.getGlobalInstance().setSafeMode(true);

2. Add the JVM startup parameter:

-Dfastjson.parser.safeMode=true

If there are multiple package name prefixes, separate them with commas (,).

3. Use the fastjson.properties file in the class path for configuration:

fastjson.parser.safeMode=true

The Web Application Firewall (WAF) service, provided by HUAWEI CLOUD, can defend against attacks exploiting this vulnerability. If you are a WAF user, set the basic web protection status to Block. For details, see Enabling Basic Web Protection.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.