It has been disclosed that there are new gadgets that cause deserialization remote code execution vulnerability in Fastjson 1.2.80 and earlier versions. autoType is disabled by default, but an attacker can bypass this restriction and implement deserialization remote code execution to attack the target server. The risk is high.

If you are a Fastjson user, check your system and implement timely security hardening.

Reference: https://github.com/alibaba/fastjson/wiki/security_update_20220523

Severity: important

(Severity: low, moderate, important, and critical)

Affected versions:

Fastjson <= 1.2.80

Secure versions:

Fastjson 1.2.83

Users using the affected versions with the autoType function enabled are affected. Currently, the autotype security blacklist has been updated in the latest version to fix this vulnerability. Please upgrade to a secure version as soon as possible.

Download address:https://github.com/alibaba/fastjson/releases/tag/1.2.83

If the upgrade cannot be performed in a timely manner, you can refer to the workarounds provided in the official announcement to avoid risks.

1. Fastjson 1.2.68 introduces the safeMode configuration. You need to upgrade Fastjson to 1.2.68 and enable SafeMode to defend against attacks. (If SafeMode is enabled, autoType will be disabled for both the whitelist and the blacklist. Before performing this operation, evaluate the impact on your workloads.) For details about how to enable this function, see https://github.com/alibaba/fastjson/wiki/fastjson_safemode.

2. Fastjson is upgraded to fastjson v2. Fastjson 2.0 is an open-source version. In fastjson 2.0, no whitelist is provided, so it is more secure. The code of Fastjson v2 has been rewritten, and the performance is greatly improved. Fastjson v2 is not fully compatible with the 1.x. versions. Compatibility tests must be performed before the upgrade

Get more professional support at any time

Contact Us