Creation Center
  1. chief security officerHome
  2. Cloud security

Fastjson Deserialization Remote Code Execution Vulnerability

chief security officer Cloud security 6127 views

1. Description:

Fastjson is an open source high-performance JSON parsing and processing library that is widely used in China. On May 23, Fastjson officially issued a security bulletin, saying that it had fixed a new deserialization vulnerability:

Fastjson defends against deserialization vulnerabilities based on black and white lists. These defense mechanisms can be bypassed in Fastjson 1.2.80 and earlier versions. Therefore, in the default configuration, when an application or system uses Fastjson to parse user-controllable JSON strings, it may cause remote code execution compromise.

2. Scope of influence:

Fastjson ≤ version 1.2.80.

3. Solutions or suggestions:

3.1 Upgrade to the latest version 1.2.83https://github.com/alibaba/fastjson/releases/tag/1.2.83
This release involves changes to autotype behavior. In some cases, incompatibilities may occur. If you have any questions, you can go tohttps://github.com/alibaba/fastjson/issues soughthelp.

3.2 safeMode reinforcement
fastjson introduced safeMode in 1.2.68 and later. configured as safeMode, autoType is not supported in either whitelisting or blacklisting, which prevents deserialization Gadgets variants from being attacked (turn off autoType, and take care to evaluate the impact on your business)

3.2.1 Opening method
refer tohttps://github.com/alibaba/fastjson/wiki…n_safemode

3.2.2 Whether safeMode needs to be used after 1.2.83
1.2.83 fixes the vulnerability discovered this time. Turning on safeMode is to completely turn off the autoType function to avoid similar problems from happening again. There may be a compatibility issue. Please fully assess the impact on your business and be open.

3.3 Upgrade to fastjson v2
fastjson v2 addresshttps://github.com/alibaba/fastjson2/releases

fastjson has open source version 2.0. In version 2.0, whitelisting is no longer provided for compatibility, thus improving security. The fastjson v2 code has been rewritten and the performance has been greatly improved. It is not fully compatible with 1.x. Upgrades require rigorous compatibility testing. If there is a problem with the upgrade, please refer tohttps://github.com/alibaba/fastjson2/issues

Reference source >>https://hackertop.com/thread-2.html

Original article by Chief Security Officer, if reproduced, please credit https://cncso.com/en/fastjson-deserialization-rce-vulnerability-html

Like (25)
102 0

About the author

chief security officer

chief security officer

100 posts
4 comments
1 questions
3 answers
3 followers
Chief Security Officer (cncso.com)
Previous May 21, 2022 10:15 pm
Next July 26, 2022 6:01 pm