1. Description:
Fastjson is an open source high-performance JSON parsing and processing library that is widely used in China. On May 23, Fastjson officially issued a security bulletin, saying that it had fixed a new deserialization vulnerability:
Fastjson defends against deserialization vulnerabilities based on black and white lists. These defense mechanisms can be bypassed in Fastjson 1.2.80 and earlier versions. Therefore, in the default configuration, when an application or system uses Fastjson to parse user-controllable JSON strings, it may cause remote code execution compromise.
2. Scope of influence:
Fastjson ≤ version 1.2.80.
3. Solutions or suggestions:
3.1 Upgrade to the latest version 1.2.83https://github.com/alibaba/fastjson/releases/tag/1.2.83
This release involves changes to autotype behavior. In some cases, incompatibilities may occur. If you have any questions, you can go tohttps://github.com/alibaba/fastjson/issues soughthelp.
3.2 safeMode reinforcement
fastjson 在 1.2.68 及更高版本中引入了 safeMode。配置为safeMode后,无论白名单还是黑名单都不支持autoType,可以防止反序列化Gadgets变种攻击(关闭autoType,注意评估对业务的影响)
3.2.1 Opening method
refer tohttps://github.com/alibaba/fastjson/wiki…n_safemode
3.2.2 Whether safeMode needs to be used after 1.2.83
1.2.83 fixes the vulnerability discovered this time. Turning on safeMode is to completely turn off the autoType function to avoid similar problems from happening again. There may be a compatibility issue. Please fully assess the impact on your business and be open.
3.3 Upgrade to fastjson v2
fastjson v2 addresshttps://github.com/alibaba/fastjson2/releases
fastjson has open source version 2.0. In version 2.0, whitelisting is no longer provided for compatibility, thus improving security. The fastjson v2 code has been rewritten and the performance has been greatly improved. It is not fully compatible with 1.x. Upgrades require rigorous compatibility testing. If there is a problem with the upgrade, please refer tohttps://github.com/alibaba/fastjson2/issues
Reference source >>https://hackertop.com/thread-2.html
Original article, author: Chief Security Officer, if reprinted, please indicate the source: https://cncso.com/en/fastjson-deserialization-rce-vulnerability.html
