Fastjson was reported to contain a remote code execution vulnerability that bypasses the autoType switch to implement deserialization of classes. Attackers can exploit this vulnerability to execute arbitrary code on targeted servers. To fix this vulnerability, upgrade the Java programs or components that use Fastjson dependencies on your Enterprise Distributed Application Service (EDAS) hosts. EDAS hosts refer to Elastic Compute Service (ECS) instances that are added to EDAS.
Fastjson uses blacklists and whitelists to defend against attacks that exploit deserialization vulnerabilities. However, attackers can use deserialization of other gadget classes to bypass the blacklists and whitelists while autoType is disabled. This allows the attackers to trigger remote code execution to launch attacks. Attackers can exploit this vulnerability to trigger remote code execution that bypasses the autoType switch. This poses high risks. Fastjson users must fix this vulnerability at the earliest opportunity.
Fastjson sec9 and earlier
Fastjson sec10 and later
If you upgrade Fastjson to 1.2.69 from an earlier version, compatibility issues may occur. We recommend that you upgrade to a sec10 bugfix version or a version that has autoType disabled.
Impacts on EDAS users
Programs and components that use Fastjson on EDAS hosts:
- EDAS agent. The EDAS agent is installed on all ECS instances that are added to ECS clusters. The EDAS agent is a Java program. The EDAS agent is also installed in Kubernetes clusters. However, edas-agent that runs in edas-agent containers is not a Java program. Therefore, you need to upgrade only the EDAS agent on ECS instances in ECS clusters. You can leave the EDAS agent that runs in Kubernetes clusters.
- Pandora. If you choose EDAS Container as the application runtime when you create an application, Pandora is installed for the application.
- ARMS agent. The ARMS agent is installed for the following applications: applications that use the EDAS Container runtime and have advanced monitoring enabled, applications that use Apache Tomcat and the standard Java runtime, and applications that are deployed in Kubernetes clusters.
- Fastjson packages that are included in your application package.
- For applications that use the EDAS-Container runtime, use the following methods to
patch the Fastjson package of the Pandora plug-in:
The versions of Pandora and Ali-Tomcat are displayed in the Application Runtime Environment section of the application details page of the ECS cluster. You can click Upgrade/Downgrade Runtime Environment in the upper-right corner of the application details page to upgrade Pandora to 3.6.0. If you want to upgrade Pandora for applications in batches, you must first create one or more application groups in addition to the default application group. For more information about how to upgrade Pandora for applications in batches, see Upgrade or downgrade the application runtime environment. You can perform this task during off-peak hours or choose a proper time. If your applications cannot be launched due to upgrade failures, we recommend that you upgrade Pandora in the staging environment before you switch to the production environment.
For applications that are deployed in Kubernetes clusters, redeploy the applications and select Pandora 3.6.0.Notice Do not upgrade Pandora during peak hours. If the current Pandora version is 3.3.x or earlier, upgrade Pandora in the staging environment before you switch to the production environment. Otherwise, if the upgrade fails, this may result in failures to launch the applications. In addition, you cannot roll back the upgrade. If this issue occurs, join DingTalk group 23336518 or scan the following QR code, and provide your application ID to request technical support.
For an application that uses the EDAS-Container runtime, upgrade Pandora in EDAS-Container to 3.6.0. Then, the EDAS agent and ARMS agent on ECS instances where the application is deployed are automatically upgraded. You do not need to manually perform the following tasks.
- For applications that are deployed in ECS clusters and use the standard Java runtime
or Apache Tomcat runtime:
You need to only redeploy the applications. Then, the EDAS agent and ARMS agent on the ECS instance are automatically upgraded.
- For a Fastjson package that is included in your application package and the Fastjson
version is affected:
Manually upgrade the Fastjson package to 1.2.69 or a sec10 version. Then, test, verify, and release your application again. You can also contact the software developer to upgrade the Fastjson package for you.