On June 22, 2019, Alibaba Cloud Security emergency response center discovered a zero-day remote code execution (RCE) vulnerability in Fastjson. Attackers can exploit the vulnerability and bypass blacklist policies to execute malicious code.

Vulnerability name

Fastjson zero-day RCE vulnerability

Vulnerability description

Attackers can exploit the zero-day vulnerability to craft a request and bypass Fastjson blacklist policies to execute malicious code. For example, an attacker can craft a request and remotely execute specified commands on a server. In this example, a calculator program is running.

Affected versions

Fastjson versions earlier than 1.2.48

Solution

Upgrade Fastjson to the latest version. We recommend that you upgrade Fastjson to 1.2.58.
Note We recommend that you also upgrade Fastjson outside the affected versions.

Upgrade method

You can update Maven dependency configurations to upgrade Fastjson to 1.2.58.
<dependency>
 <groupId>com.alibaba</groupId>
 <artifactId>fastjson</artifactId>
 <version>1.2.58</version>
</dependency>

Protection recommendations

By default, WAF protects against the zero-day vulnerability in Fastjson. You only need to enable the protection function.

Note If you use custom protection rules, you must add the following rule to a custom rule group. For more information, see Customize protection rule groups.