On March 15, 2017, Fastjson officially released a security bulletin. The bulletin introduced that there is a code execution vulnerability in fastjson in 1.2.24 and earlier versions. A malicious attacker can use this vulnerability to perform remote code execution, thereby further invading the server. The official version has been released, and the latest version has successfully fixed the vulnerability.
The specific vulnerability details are as follows:
Vulnerability number:
No
Vulnerability name:
Fastjson remote code execution vulnerability
Official rating:
high risk
Vulnerability description:
Fastjson has a code execution vulnerability in version 1.2.24 and earlier. When a user submits a carefully constructed malicious serialized data to the server, fastjson has a vulnerability in deserialization, which can lead to a remote arbitrary code execution vulnerability.
Vulnerability exploitation conditions and methods:
Hackers can successfully exploit the vulnerability by remote code execution.
Vulnerability scope:
1.2.24 and earlier
Vulnerability detection confirmation:
检查fastjson 版本是否在1.2.24版本内
lsof | grep fastjson
Vulnerability fix suggestions (or mitigations):
At present, the latest version has been officially released, which has successfully fixed the vulnerability.
Users on Alibaba Cloud recommend the following two methods to upgrade fastjson to version 1.2.28 or later:
The update method is as follows:
- 1. Maven dependency configuration update
Update through maven configuration and use the latest version, as follows:
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.28</version>
</dependency>
- 2. Download the latest version
Download address: http://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.28/
- 3. Cloud shield WAF protection
If you cannot upgrade fastjson in time, you can use Alibaba Cloud Shield WAF automatic protection.
Intelligence source: