On June 22, 2019, Alibaba Cloud Security emergency response center discovered a zero-day remote code execution (RCE) vulnerability in Fastjson. Attackers can exploit the vulnerability and bypass blacklist policies to execute malicious code.
Fastjson zero-day RCE vulnerability
Fastjson versions earlier than 1.2.48
SolutionUpgrade Fastjson to the latest version. We recommend that you upgrade Fastjson to 1.2.58.
<dependency> <groupId>com.alibaba</groupId> <artifactId>fastjson</artifactId> <version>1.2.58</version> </dependency>
By default, WAF protects against the zero-day vulnerability in Fastjson. You only need to enable the protection function.