1

According to the monitoring of the National Network and Information Security Information Notification Center, the open source Java development component Fastjson has a deserialization remote code execution vulnerability. Attackers can use the above vulnerabilities to implement arbitrary file writing, server request forgery and other attack behaviors, resulting in serious impact such as server privilege theft and sensitive information leakage.
According to statistics, this incident affects Fastjson 1.2.80 and all previous versions. At present, the latest version of Fastjson 1.2.83 has fixed this vulnerability. Grape City reminds the majority of developers: Please check and sort out the affected situation in a timely manner, repair loopholes and eliminate hidden dangers on the premise of ensuring security, improve network system security protection capabilities, and strictly prevent network attacks.

Vulnerability description

On May 23, Fastjson officially announced that there are new deserialization risks in versions 1.2.80 and below. Under certain conditions, the default autoType closure restriction can be bypassed, thereby deserializing classes with security risks. Attackers The vulnerability can be exploited to achieve remote code execution on the target machine.
Fastjson is an open source JSON parsing library, which can parse strings in JSON format, support serialization of Java Beans to JSON strings, and deserialization from JSON strings to Java Beans. Due to its high execution efficiency, Fastjson is integrated by many java software as a component and widely exists in the server code of java applications.

Vulnerability Details

• Vulnerability Name: Fastjson Deserialization Remote Code Execution Vulnerability • Vulnerability Number: None • Vulnerability Type: Remote Arbitrary Code Execution • Component Name: Fastjson
• Versions affected: Fastjson ≤ 1.2.80
• Vulnerability Level: Critical

Repair suggestion

1. Upgrade to the latest version 1.2.83, download address: https://github.com/alibaba/fastjson/releases/tag/1.2.83
Since this version involves changes in autotype behavior, incompatibility may occur in some scenarios. If you encounter problems, you can go to https://github.com/alibaba/fastjson/issues for help.

2. SafeMode reinforcement
Fastjson introduced safeMode in 1.2.68 and later versions. After configuring safeMode, autoType is not supported regardless of whitelist or blacklist, which can prevent the deserialization Gadgets variant attack.

3. Upgrade to Fastjson v2, download address: https://github.com/alibaba/fastjson2/releases
Fastjson has open source version 2.0. In version 2.0, whitelist is no longer provided for compatibility, which improves security. The Fastjson v2 code has been rewritten, and the performance has been greatly improved. It is not fully compatible with 1.x. The upgrade requires serious compatibility testing. There is a problem with the upgrade, you can ask for help at https://github.com/alibaba/fastjson2/issues .

Troubleshooting suggestions

• Maven: Check pom.xml and determine the version number by searching for Fastjson • Other projects determine the version number of Fastjson by searching for jar files

To add in a small voice, after testing, our Wyn , movable type , SpreadJS and GcExcel do not use the Fastjson JSON library, so you don't need to worry about security issues.


葡萄城技术团队
2.7k 声望29.2k 粉丝

葡萄城是专业的软件开发技术和低代码平台提供商,聚焦软件开发技术,以“赋能开发者”为使命,致力于通过表格控件、低代码和BI等各类软件开发工具和服务,一站式满足开发者需求,帮助企业提升开发效率并创新开发模式。