05-23-2022, 08:50 PM
1、Description:
Fastjson is an open source and high-performance JSON parsing and processing library, which is widely used in China. On May 23, Fastjson officially issued a security notice stating that a new deserialization vulnerability was fixed:
Fastjson defend against deserialization vulnerabilities based on black and white lists, these defense mechanisms can be bypassed in Fastjson versions of 1.2.80 and earlier. Therefore, under the default configuration, when the application or system uses Fastjson to parse JSON strings controllable by users, it may cause harm to remote code execution.
2、Scope of Impact:
Fastjson ≤ 1.2.80 version 。
3、Solutions or Suggestions:
3.1 Upgrade to Latest Version 1.2.83 https://github.com/alibaba/fastjson/releases/tag/1.2.83
This version involves changes in autotype behavior. In some scenarios, there will be incompatibility. In case of problems, you can go to the https://github.com/alibaba/fastjson/issues寻求帮助 。.
3.2 safeMode reinforcement
fastjson introduced safeMode in versions 1.2.68 and later. After the configuration is safeMode, autoType is not supported regardless of whitelist or blacklist, which can prevent deserialization Gadgets variant attacks (close autoType and pay attention to evaluate the impact on the business)
3.2.1 Opening Method
Reference https://github.com/alibaba/fastjson/wiki...n_safemode
3.2.2 Do you need to use safeMode after 1.2.83
1.2.83 has fixed the vulnerability found this time. The opening safeMode is to completely close the autoType function to avoid similar problems from happening again. This may have compatibility problems. Please fully evaluate the impact on the business and open it.
3.3 upgrade to fastjson v2
fastjson v2 address https://github.com/alibaba/fastjson2/releases
fastjson has opened source version 2.0. In version 2.0, whitelists are no longer provided for compatibility, thus improving security. fastjson v2 code has been rewritten and its performance has been greatly improved. It is not fully compatible with 1.x. The upgrade requires serious compatibility testing. There are problems in upgrading, which can be found in https://github.com/alibaba/fastjson2/issues
Fastjson is an open source and high-performance JSON parsing and processing library, which is widely used in China. On May 23, Fastjson officially issued a security notice stating that a new deserialization vulnerability was fixed:
Fastjson defend against deserialization vulnerabilities based on black and white lists, these defense mechanisms can be bypassed in Fastjson versions of 1.2.80 and earlier. Therefore, under the default configuration, when the application or system uses Fastjson to parse JSON strings controllable by users, it may cause harm to remote code execution.
2、Scope of Impact:
Fastjson ≤ 1.2.80 version 。
3、Solutions or Suggestions:
3.1 Upgrade to Latest Version 1.2.83 https://github.com/alibaba/fastjson/releases/tag/1.2.83
This version involves changes in autotype behavior. In some scenarios, there will be incompatibility. In case of problems, you can go to the https://github.com/alibaba/fastjson/issues寻求帮助 。.
3.2 safeMode reinforcement
fastjson introduced safeMode in versions 1.2.68 and later. After the configuration is safeMode, autoType is not supported regardless of whitelist or blacklist, which can prevent deserialization Gadgets variant attacks (close autoType and pay attention to evaluate the impact on the business)
3.2.1 Opening Method
Reference https://github.com/alibaba/fastjson/wiki...n_safemode
3.2.2 Do you need to use safeMode after 1.2.83
1.2.83 has fixed the vulnerability found this time. The opening safeMode is to completely close the autoType function to avoid similar problems from happening again. This may have compatibility problems. Please fully evaluate the impact on the business and open it.
3.3 upgrade to fastjson v2
fastjson v2 address https://github.com/alibaba/fastjson2/releases
fastjson has opened source version 2.0. In version 2.0, whitelists are no longer provided for compatibility, thus improving security. fastjson v2 code has been rewritten and its performance has been greatly improved. It is not fully compatible with 1.x. The upgrade requires serious compatibility testing. There are problems in upgrading, which can be found in https://github.com/alibaba/fastjson2/issues
Fastjson poc
