Remote Code Execution Vulnerability in Fastjson 1.2.68 and Earlier Versions
May 30, 2020 GMT+08:00
It has recently been disclosed that a high-risk vulnerability exists in Fastjson 1.2.68 and earlier versions. This vulnerability can bypass the autoType switch to implement deserialization remote code execution and obtain server access permissions.
If you are a Fastjson user, check your system and implement timely security hardening.
(Severity: low, moderate, important, and critical)
III. Affected Products
Fastjson 1.2.68 and earlier versions
Fastjson later than 1.2.68
IV. Vulnerability Handling
This vulnerability has been fixed in the latest official release. If your version is affected, upgrade it to the secure version.
Download link: https://github.com/alibaba/fastjson/releases
Fastjson 1.2.68 introduces the safeMode configuration. You can upgrade to version 1.2.68 and then configure the safeMode to defend against attacks. After safeMode is configured, autoType is not supported regardless of the whitelist and blacklist. Before configuring the safeMode, evaluate the impact on services. The following three methods are available for configuring safeMode:
1. Use the following code for configuration:
2. Add the JVM startup parameter:
If there are multiple package name prefixes, separate them with commas (,).
3. Use the fastjson.properties file in the class path for configuration:
The Web Application Firewall (WAF) service, provided by HUAWEI CLOUD, can defend against attacks exploiting this vulnerability. If you are a WAF user, set the basic web protection status to Block. For details, see Enabling Basic Web Protection.
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.