Alibaba’s open source JSON parsing library fastjson has been exposed to high-risk vulnerabilities, and the official has released a security announcement

Time:2020-8-16

Alibaba's open source JSON parsing library fastjson has been exposed to high-risk vulnerabilities, and the official has released a security announcement

Technical editor: Xu Jiuyi from si no office


Fastjson is an open source Java library of Alibaba. It can convert Java objects into JSON format, and it can also convert JSON strings into Java objects. The current version of fastjson, 1.2.68, was released at the end of March.

Recently, Alibaba cloud emergency response center has detected a new Remote Code Execution Vulnerability in fastjson. Hackers can use the vulnerability to bypass the autotype limit and execute arbitrary commands directly to attack the server with great risk. 360 security center designated the vulnerability as “high risk”.

1. Vulnerability description

Fastjson uses the black-and-white list method to prevent the deserialization vulnerability. When hackers continue to explore new deserialized gadgets classes, they can still bypass the blacklist defense mechanism when autotype is turned off, resulting in remote command execution vulnerabilities. The research shows that the threshold of exploiting the vulnerability is low, and the autotype limit can be bypassed. Alibaba cloud emergency response center reminds fastjson users to take security measures to prevent vulnerability attacks as soon as possible.

2. Influence version

fastjson <=1.2.68

Fastjson sec version < = SEC9

The Android version is not affected by this vulnerability

3. Vulnerability verification

JNDI can be used with RMI & LDAP second-order injection or bytecode local injection.

Bytecode local injection is not limited by JDK repair and network environment of target machine, which is more favorable for attackers.

For this vulnerability, it is recommended to upgrade to the latest version 1.2.69 or later version 1.2.70 to avoid relevant risks.


Project address:
https://github.com/alibaba/fa…
Fastjson official security notice:
https://github.com/alibaba/fa…

Illegal production and high risk loopholes

With the continuous upgrading of network technology, the network security situation is increasingly grim. In recent years, data leakage, network blackmail and other network security incidents occur frequently, which has a serious impact on the development of enterprises and society. Most of these illegal products growing in cyberspace are related to high-risk vulnerabilities.

In other words, the use of software and hardware vulnerabilities, has become the main means of the black industry to capture the various systems.

Enterprise administrators or project leaders should pay attention to the vulnerability discovery and repair announcement at any time, and timely install patches to repair the existing vulnerabilities, so as to avoid being exploited and causing losses.

Alibaba's open source JSON parsing library fastjson has been exposed to high-risk vulnerabilities, and the official has released a security announcement

Recommended Today

Common English words for it software development

A abstractAbstractAbstract base class (ABC) abstract base classAbstract class abstract classAbstraction, abstraction, abstractionAccess accessAccess functionAccess levelAccount accountAction actionActivateActive active actualParameter argumentAdapterAdd in plug-inAddress addressAddress spaceADO (ActiveX data object)Advanced advanced aggregationAggregation algorithmalgorithm aliasaliasAlign arrange and align allocateAllocation and configurationAllocator allocator, Configurator angle bracketAngle bracket annotationNotes and commentariesAPI (Application Programming Interface)Appearance appearanceAppend attachApplication, applicationApplication framework Approximate String […]