Fastjson was reported to contain a remote code execution (RCE) vulnerability that bypasses the autoType switch to implement deserialization of classes. Attackers can exploit this vulnerability to execute arbitrary code on targeted servers. To fix this vulnerability, update the Java programs or components that use Fastjson dependencies on your Enterprise Distributed Application Service (EDAS) hosts. EDAS hosts refer to Elastic Compute Service (ECS) instances that are added to EDAS.

Vulnerability description

Fastjson uses blacklists and whitelists to defend against attacks that exploit deserialization vulnerabilities. However, attackers can use deserialization of other gadget classes to bypass the blacklists and whitelists while autoType is disabled. This leads to an RCE vulnerability. Attackers can exploit this vulnerability to launch RCE attacks that bypass the autoType switch. This poses high risks. Fastjson users must fix this vulnerability at the earliest opportunity.

Affected versions

Fastjson 1.2.80 and earlier

or

Fastjson sec9 and earlier

Unaffected versions

Fastjson 1.2.80 later

or

Fastjson sec10 and later

Suggestions

If you update Fastjson to 1.2.80 later version from an earlier version, compatibility issues may occur. We recommend that you update Fastjson to a sec10 bugfix version or a version that has autoType disabled.

Impacts on EDAS users

The following programs and components on EDAS hosts use Fastjson:

  • EDAS agent: The EDAS agent is installed on all ECS instances that are added to ECS clusters. The EDAS agent is a Java program. The EDAS agent is also installed in Kubernetes clusters. However, edas-agent that runs in edas-agent containers is not a Java program. Therefore, you need to update the EDAS agent only on ECS instances in ECS clusters. You can leave the EDAS agent that runs in Kubernetes clusters.
  • Pandora: If you choose EDAS Container as the application runtime when you create an application, Pandora is installed for the application.
  • Application Real-Time Monitoring Service (ARMS) agent: The ARMS agent is installed for the following applications: applications that use the EDAS Container runtime and have advanced monitoring enabled, applications that use Apache Tomcat and the standard Java runtime, and applications that are deployed in Kubernetes clusters.
  • Fastjson packages that are included in your application package

Fixes

  • For applications that use the EDAS Container runtime, use the following methods to patch the Fastjson package of the Pandora plug-in:

    The versions of Pandora and Ali-Tomcat are displayed in the Application Runtime Environment section of the application details page of the ECS cluster. You can click Upgrade/Downgrade Runtime Environment in the upper-right corner of the application details page to update Pandora to 3.6.3. If you want to update Pandora for applications in batches, you must first create one or more application groups in addition to the default application group. For more information about how to update Pandora for applications in batches, see Upgrade or downgrade the runtime environment. You can perform this task during off-peak hours or choose a proper time. If your applications cannot be launched due to update failures, we recommend that you update Pandora in the test environment before you switch to the production environment.

    For applications that are deployed in Kubernetes clusters, redeploy the applications and select Pandora 3.6.3.

    Notice Do not update Pandora during peak hours. If the current Pandora version is 3.3.x or earlier, update Pandora in the test environment before you switch to the production environment. Otherwise, if the update fails, this may result in failures to launch the applications. In addition, you cannot roll back the update. If this issue occurs, join DingTalk group 23336518 or scan the following QR code, and provide your application ID to request technical support.

    For an application that uses the EDAS Container runtime, update Pandora in EDAS Container to 3.6.3. Then, the EDAS agent and ARMS agent on ECS instances in which the application is deployed are automatically updated. You do not need to manually perform the following tasks.

  • For applications that are deployed in ECS clusters and use the standard Java runtime or Apache Tomcat runtime:

    You need only to redeploy the applications. Then, the EDAS agent and ARMS agent on the ECS instances are automatically updated.

  • For a Fastjson package that is included in your application package and the Fastjson version is affected:

    Manually update the Fastjson package to 1.2.80 later version or a sec10 version. Then, test, verify, and release your application again. You can also contact the software developer to update the Fastjson package for you.