All Products
Search

This Product

    Enterprise Distributed Application Service:Security updates: Fastjson vulnerability on EDAS hosts

    Document Center

    Enterprise Distributed Application Service:Security updates: Fastjson vulnerability on EDAS hosts

    Last Updated:May 25, 2023

    Fastjson was reported to contain a remote code execution (RCE) vulnerability that bypasses the autoType switch to implement deserialization of classes. Attackers can exploit this vulnerability to execute arbitrary code on targeted servers. To fix this vulnerability, update the Java programs or components that use Fastjson dependencies on your Enterprise Distributed Application Service (EDAS) hosts. EDAS hosts refer to Elastic Compute Service (ECS) instances that are added to EDAS.

    Vulnerability description

    Fastjson uses blacklists and whitelists to defend against attacks that exploit deserialization vulnerabilities. However, attackers can use deserialization of other gadget classes to bypass the blacklists and whitelists while autoType is disabled. This leads to an RCE vulnerability. Attackers can exploit this vulnerability to launch RCE attacks that bypass the autoType switch. This poses high risks. Fastjson users must fix this vulnerability at the earliest opportunity.

    Affected versions

    Fastjson 1.2.80 and earlier, or Fastjson sec9 and earlier

    Unaffected versions

    Versions later than Fastjson 1.2.80, or Fastjson sec10 and later

    Suggestions

    If you update Fastjson to a version later than 1.2.80 from an earlier version, compatibility issues may occur. We recommend that you update Fastjson to a sec10 bugfix version or a version that has autoType disabled.

    Impacts on EDAS users

    The following programs or components on EDAS hosts use Fastjson:

    • EDAS agent: The EDAS agent is installed on all ECS instances that are added to ECS clusters. The EDAS agent is a Java program. The EDAS agent is also installed in Kubernetes clusters. However, edas-agent that runs in edas-agent containers is not a Java program. Therefore, you need to update the EDAS agent only on ECS instances in ECS clusters. You can leave the EDAS agent that runs in Kubernetes clusters.
    • Pandora: If you choose EDAS Container as the application runtime when you create an application, Pandora is installed for the application.
    • Application Real-Time Monitoring Service (ARMS) agent: The ARMS agent is installed for the following applications: applications that use the EDAS Container runtime and have advanced monitoring enabled, applications that use Apache Tomcat and the standard Java runtime, and applications that are deployed in Kubernetes clusters.
    • Fastjson packages that are included in your application package.

    Fixes

    For applications that use the EDAS Container runtime, use the following methods to patch the Fastjson package of the Pandora plug-in

    • The versions of Pandora and Ali-Tomcat are displayed in the Application Runtime Environment section of the application details page of the ECS cluster. You can click Upgrade/Downgrade Runtime Environment in the upper-right corner of the application details page to update Pandora to 3.6.3. If you want to update Pandora for applications in batches, you must first create one or more application groups in addition to the default application group.

      For more information about how to update Pandora for applications in batches, see Upgrade or downgrade the runtime environment. You can perform this task during off-peak hours or choose a proper time. We recommend that you update Pandora in the test environment before you switch to the production environment because you may fail to start the application due to update failures.

    • For applications that are deployed in Kubernetes clusters, redeploy the applications and select Pandora 3.6.3.
      Important Do not update Pandora during peak hours. If the current Pandora version is 3.3.x or earlier, update Pandora in the test environment before you switch to the production environment. Otherwise, if the update fails, you may fail to start the application and cannot roll back the update. If this issue occurs, join DingTalk group 23336518 and provide your application ID for technical support.
    • For an application that uses the EDAS Container runtime, update Pandora in EDAS Container to 3.6.3. Then, the EDAS agent and ARMS agent on ECS instances in which the application is deployed are automatically updated. You do not need to manually perform the following tasks.

    For applications that are deployed in ECS clusters and use the standard Java runtime or Apache Tomcat runtime

    You need only to redeploy the applications. Then, the EDAS agent and ARMS agent on the ECS instances are automatically updated.

    For a Fastjson package that is included in your application package and the Fastjson version is affected

    Manually update the Fastjson package to a version later than 1.2.80 or a sec10 version. Then, test, verify, and release your application again. You can also contact the software developer to update the Fastjson package for you.