Got it

Fastjson 1.2.80 Vulnerability

Latest reply: Jul 5, 2022 08:31:18 120 2 1 0 0

Hello, everyone!

Recently, the Fastjson Development Team found that fastjson 1.2.80 and earlier have new risks. Under certain conditions, the default autoType disable limit can be bypassed to attack remote servers.

Impact Scope

Affected version: Fastjson ≤ 1.2.80

Version not affected: Fastjson = 1.2.83

Upgrade plan

1. Upgrade to latest version 1.2.83 

This version involves changes in autotype behavior. In some scenarios, there will be incompatibility. If you encounter problems, you can go to https://github.com/alibaba/fastjson/issues for help. 

2. SafeMode Hardening

fastjson introduced safeMode in 1.2.68 and later versions. After configuring safeMode, autoType is not supported regardless of whitelist or blacklist, which can prevent the deserialization Gadgets variant attack (close autoType and pay attention to evaluating the impact on business).

a. Open method

Refer to https://github.com/alibaba/fastjson/wiki/fastjson_safemode

b. Do you need to use safeMode when using versions after 1.2.83?

1.2.83 fixes the vulnerability discovered this time. Turning on safeMode completely turns off the autoType function to avoid similar problems from happening again. This may cause compatibility problems. Please fully evaluate the impact on the business and turn it on.

c. Do you need to upgrade if safeMode is enabled?

Turning on safeMode is not affected by this vulnerability, so you can not upgrade.

3. Upgrade to fastjson v2

fastjson v2 address https://github.com/alibaba/fastjson2/releases

Fastjson has open source version 2.0. In version 2.0, the whitelist is no longer provided for compatibility, which improves security. The fastjson v2 code has been rewritten, and the performance has been greatly improved. It is not fully compatible with 1.x. The upgrade requires serious compatibility testing. There is a problem with the upgrade, you can ask for help at https://github.com/alibaba/fastjson2/issues.

Thanks!


  • x
  • convention:

olive.zhao
Admin Created Jul 5, 2022 08:11:02

Thanks for your sharing!
View more
  • x
  • convention:

Saqibaz
Created Jul 5, 2022 08:31:18

Thanks for sharing
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.