Technical editor: Xu Jiuyi from si no office
Fastjson is an open source Java library of Alibaba. It can convert Java objects into JSON format, and it can also convert JSON strings into Java objects. The current version of fastjson, 1.2.68, was released at the end of March.
Recently, Alibaba cloud emergency response center has detected a new Remote Code Execution Vulnerability in fastjson. Hackers can use the vulnerability to bypass the autotype limit and execute arbitrary commands directly to attack the server with great risk. 360 security center designated the vulnerability as “high risk”.
1. Vulnerability description
Fastjson uses the black-and-white list method to prevent the deserialization vulnerability. When hackers continue to explore new deserialized gadgets classes, they can still bypass the blacklist defense mechanism when autotype is turned off, resulting in remote command execution vulnerabilities. The research shows that the threshold of exploiting the vulnerability is low, and the autotype limit can be bypassed. Alibaba cloud emergency response center reminds fastjson users to take security measures to prevent vulnerability attacks as soon as possible.
2. Influence version
Fastjson sec version < = SEC9
The Android version is not affected by this vulnerability
3. Vulnerability verification
JNDI can be used with RMI & LDAP second-order injection or bytecode local injection.
Bytecode local injection is not limited by JDK repair and network environment of target machine, which is more favorable for attackers.
For this vulnerability, it is recommended to upgrade to the latest version 1.2.69 or later version 1.2.70 to avoid relevant risks.
Fastjson official security notice:
Illegal production and high risk loopholes
With the continuous upgrading of network technology, the network security situation is increasingly grim. In recent years, data leakage, network blackmail and other network security incidents occur frequently, which has a serious impact on the development of enterprises and society. Most of these illegal products growing in cyberspace are related to high-risk vulnerabilities.
In other words, the use of software and hardware vulnerabilities, has become the main means of the black industry to capture the various systems.
Enterprise administrators or project leaders should pay attention to the vulnerability discovery and repair announcement at any time, and timely install patches to repair the existing vulnerabilities, so as to avoid being exploited and causing losses.