Service Notices

All Notices > Security Notices > Remote Code Execution Vulnerability in Fastjson Versions Earlier than 1.2.66

Remote Code Execution Vulnerability in Fastjson Versions Earlier than 1.2.66

Mar 03, 2020 GMT+08:00

I. Overview

Fastjson has officially released a new version on GitHub, and disclosed that a deserialization remote code execution vulnerability exists in fastjson versions earlier than 1.2.66. Attackers can exploit the vulnerability with new gadgets, to implement remote code execution.

If you are a fastjson user, check your version and implement timely security hardening.

Reference links:

https://github.com/alibaba/fastjson/releases/tag/1.2.66

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected Versions:

Fastjson versions earlier than 1.2.66

Secure Versions:

Fastjson 1.2.66

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the latest secure version.

Download address: https://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.66/

Enabled autoType is the prerequisite for exploiting this vulnerability. In all fastjson versions 1.2.5x and later, the autoType function is disabled by default. If you have enabled autoType, disable it to temporarily prevent the vulnerability from being exploited. The procedure for disabling autoType is as follows:

1. Find the following code in the project source code and delete it:

ParserConfig.getGlobalInstance().setAutoTypeSupport(true);

2. When starting the project in a JVM, do not add the autoType parameter to the command line.

-Dfastjson.parser.autoTypeSupport=true

 Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.