A remote code execution (RCE) vulnerability has been identified in Fastjson that bypasses the autoType switch to deserialize arbitrary classes, allowing attackers to execute arbitrary code on affected servers. If you run Java applications on Enterprise Distributed Application Service (EDAS) hosts, you must update the affected programs and components described in this advisory.
This is a high-risk vulnerability. All EDAS users who run affected Fastjson versions should apply the fixes described below at the earliest opportunity.
EDAS hosts are Elastic Compute Service (ECS) instances that have been added to EDAS.
Vulnerability details
Fastjson defends against deserialization attacks by using blacklists and whitelists. However, attackers can exploit deserialization of gadget classes to bypass the blacklists and whitelists while autoType is disabled, resulting in remote code execution.
Affected versions: Fastjson 1.2.80 and earlier, or Fastjson sec9 and earlier
Unaffected versions: Versions later than Fastjson 1.2.80, or Fastjson sec10 and later
Upgrade path: Upgrading Fastjson from a version earlier than 1.2.80 to a later version may cause compatibility issues. To minimize risk, use one of the following approaches:
Update to a sec10 bugfix version.
Update to a version that has
autoTypedisabled.
Affected components
The following table shows which EDAS components use Fastjson and whether they require action by deployment type.
| Component | ECS Cluster | Kubernetes Cluster | Action Required |
|---|---|---|---|
| EDAS Agent | Affected (Java program) | Not affected (not a Java program in containers) | Update on ECS clusters only |
| Pandora | Affected (when EDAS Container runtime is used) | Affected (when EDAS Container runtime is used) | Update to Pandora 3.6.3 |
| ARMS Agent | Affected | Affected | Auto-updated on ECS instances when Pandora or runtime is updated |
| Your application's Fastjson | Affected | Affected | Manual update required |
EDAS Agent -- The EDAS Agent is installed on all ECS instances that are added to ECS clusters. It is a Java program and uses Fastjson. The EDAS Agent is also installed in Kubernetes clusters. However, the edas-agent process that runs in edas-agent containers is not a Java program. Therefore, you only need to update the EDAS Agent on ECS instances in ECS clusters. You can leave the EDAS Agent in Kubernetes clusters as-is.
Pandora -- If you selected EDAS Container as the application runtime when creating your application, Pandora is installed for the application. Pandora includes a Fastjson dependency that must be updated.
Application Real-Time Monitoring Service (ARMS) Agent -- The ARMS Agent is installed for the following types of applications:
Applications that use the EDAS Container runtime and have advanced monitoring enabled
Applications that use Apache Tomcat and the standard Java runtime
Applications that are deployed in Kubernetes clusters
Fastjson in your application package -- Your application package may include its own Fastjson dependency, which must be updated separately from EDAS platform components.
How to fix
Choose the fix that matches your deployment scenario. If multiple scenarios apply to your environment, complete each applicable fix.
Fix 1: Update Pandora (EDAS Container runtime)
If your application uses the EDAS Container runtime, update Pandora to version 3.6.3. This also automatically updates the EDAS Agent and ARMS Agent on the ECS instances where the application is deployed. No separate manual update is needed for those agents.
Do not update Pandora during peak hours. Perform updates during off-peak hours.
If your current Pandora version is 3.3.x or earlier, you must update Pandora in a test environment before switching to the production environment. If the update fails, you may be unable to start the application and cannot roll back the update.
If you encounter issues after updating, join DingTalk group 23336518 and provide your application ID for technical support.
ECS clusters:
Open the application details page of the ECS cluster.
In the Application Runtime Environment section, check the current versions of Pandora and Ali-Tomcat.
Click Upgrade/Downgrade Runtime Environment in the upper-right corner of the application details page.
Update Pandora to 3.6.3.
To update Pandora for multiple applications at once, first create one or more application groups in addition to the default application group. For detailed instructions, see Upgrade or downgrade the runtime environment.
Kubernetes clusters:
Redeploy your applications and select Pandora 3.6.3 during redeployment.
Fix 2: Redeploy (standard Java or Apache Tomcat runtime on ECS clusters)
If your application is deployed in an ECS cluster and uses the standard Java runtime or Apache Tomcat runtime, redeploy the application. When you redeploy, the EDAS Agent and ARMS Agent on the ECS instances are automatically updated. No additional manual steps are required.
Fix 3: Update Fastjson in your application package
If your application package includes a Fastjson dependency and the version is within the affected range (1.2.80 or earlier, or sec9 or earlier):
Update the Fastjson package to a version later than 1.2.80 or to the sec10 version.
Test and verify your application thoroughly.
Release the updated application.
Alternatively, contact your software developer to update the Fastjson package on your behalf.