0x01 Vulnerability Introduction
On May 24, 2022, Alibaba Cloud officially issued a notice
fastjson has used black and white lists to defend against deserialization vulnerabilities. After research, this exploit can bypass the default autoType shutdown restriction under certain conditions and attack remote servers, with a greater risk impact. It is recommended that fastjson users take security measures as soon as possible to ensure system security.
Effects ≤ 1.2.80 in the presence of specific dependencies.
0x02 range of influence
Affects all versions ≤ 1.2.80 if specific dependencies exist
0x03 Disposal measures
1. Upgrade to the latest version 1.2.83 https://github.com/alibaba/fastjson/releases/tag/1.2.83. This version involves changes in autotype behavior, and incompatibility may occur in some scenarios. If you encounter problems, you can go to https://github.com/alibaba/fastjson/issues for help.
2. fastjson introduced safeMode in 1.2.68 and later versions. After configuring safeMode, no matter the whitelist or blacklist, autoType is not supported, which can prevent deserialization Gadgets variant attacks (turn off autoType and pay attention to assessing the impact on business ). For how to enable it, please refer to https://github.com/alibaba/fastjson/wiki/fastjson_safemode. 1.2.83 fixes the vulnerability found this time. Enabling safeMode completely disables the autoType function to avoid similar problems from happening again. This may cause compatibility issues. Please fully evaluate the impact on business before enabling it.
3. Can be upgraded to fastjson v2, please refer to https://github.com/alibaba/fastjson2/releases
Reference link: Alibaba Cloud Vulnerability Library
| security_update_20220523 · alibaba/fastjson Wiki · GitHub |