On July 23, 2019, Alibaba Cloud Security emergency response center discovered a zero-day remote code execution (RCE) vulnerability in Fastjson. Attackers can exploit the vulnerability and bypass blacklist policies to execute malicious code.
Fastjson zero-day RCE vulnerability
Attackers can exploit the zero-day vulnerability to craft a request and bypass Fastjson blacklist policies to execute malicious code. For example, an attacker can craft a request and remotely execute specified commands on a server. In this example, a calculator program is running.
- Fastjson 1.2.24 and earlier
- Fastjson 1.2.41 to 1.2.45
SolutionUpgrade Fastjson to the latest version. We recommend that you upgrade Fastjson to 1.2.58.
<dependency> <groupId>com.alibaba</groupId> <artifactId>fastjson</artifactId> <version>1.2.58</version> </dependency>
By default, WAF protects against the zero-day vulnerability in Fastjson. You only need to enable the protection function.