Service Notices

All Notices > Security Notices > Fastjson <= 1.2.80 Deserialization Remote Code Execution Vulnerability

Fastjson <= 1.2.80 Deserialization Remote Code Execution Vulnerability

May 24, 2022 GMT+08:00

I. Overview

It has been disclosed that there are new gadgets that cause deserialization remote code execution vulnerability in Fastjson 1.2.80 and earlier versions. autoType is disabled by default, but an attacker can bypass this restriction  and implement deserialization remote code execution to attack the target server. The risk is high.

If you are a Fastjson user, check your system and implement timely security hardening.

Reference: https://github.com/alibaba/fastjson/wiki/security_update_20220523

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Fastjson <= 1.2.80

Secure versions:

Fastjson 1.2.83

IV. Vulnerability Handling

Users using the affected versions with the autoType function enabled are affected. Currently, the autotype security blacklist has been updated in the latest version to fix this vulnerability. Please upgrade to a secure version as soon as possible.

Download address: https://github.com/alibaba/fastjson/releases/tag/1.2.83

If the upgrade cannot be performed in a timely manner, you can refer to the workarounds provided in the official announcement to avoid risks.

1. Fastjson 1.2.68 introduces the safeMode configuration. You need to upgrade Fastjson to 1.2.68 and enable SafeMode to defend against attacks. (If SafeMode is enabled, autoType will be disabled for both the whitelist and the blacklist. Before performing this operation, evaluate the impact on your workloads.) For details about how to enable this function, see https://github.com/alibaba/fastjson/wiki/fastjson_safemode.

2. Fastjson is upgraded to fastjson v2. Fastjson 2.0 is an open-source version. In fastjson 2.0, no whitelist is provided, so it is more secure. The code of Fastjson v2 has been rewritten, and the performance is greatly improved. Fastjson v2 is not fully compatible with the 1.x. versions. Compatibility tests must be performed before the upgrade.

Huawei Cloud WAF can defend against this vulnerability. If you are a WAF user, set the basic web protection status to Block. For details, see Configuring Basic Web Protection Rules.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.