question
- Upgraded gradle, changed the file storage location, the project needs to rebuild and download dependent files, and found that fastjson 1.2.66 has been unable to download
- I have been stuck in downloading, so I thought about manually downloading and trying, so I went to
mvnrepositorythe website - When fastjson was found, fastjson2 was found
Note: This artifact was moved to: com.alibaba.fastjson2 » fastjson2
mvnrepositoryThe latest fastjson version provided by the website is2.0.24, and after looking at it, the minimum available version is1.2.83- The rest of the lower versions have some risk points and loopholes, which may be exploited to tamper with the program or data. You can click to enter the details.
- One of them is posted here
CVE-2022-25845, and the description is translated as: package before 1.2.83 com.alibaba:fastjson is vulnerable to deserialization of untrusted data by bypassing the default autoType shutdown restriction, which is possible in some cases . This vulnerability can be used to attack remote servers. Workaround: If you can't upgrade, you can enable [safeMode]
solve
- Many projects have lasted for a long time, and the versions that some jar packages depend on may be very low versions, and these versions may have some discovered and announced vulnerabilities
- If it is a program deployed on the Internet, or has relatively high security requirements, it is recommended to track the version changes of the main jar package and actively use a newer stable version
- This time, we will upgrade everything used in the project
com.alibaba:fastjsonto 1.2.83 - In addition, for the high memory configuration of the server and the high version release of jdk, it is
com.alibaba.fastjson2 » fastjson2also a good choice to use it. According to the official documentation, the performance has been greatly improved. When it is more stable, it can be considered for use in production projects