On March 15, 2017, Fastjson released a security publication, announcing a remote code execution vulnerability in Fastjson 1.2.24 and earlier versions. Attackers can exploit this vulnerability to remotely run code and consequently intrude the server. Fastjson has released the latest version to fix the vulnerability.
See the following for more information about the vulnerability.
Remote code execution vulnerability in Fastjson
A remote code execution vulnerability exists in Fastjson 1.2.24 and earlier versions. The submission of specially crafted serialized data to the server allows for remote execution of arbitrary code because of the vulnerability in the deserialization process of Fastjson.
Condition and method of exploitation
Hackers can exploit this vulnerability to run code remotely.
Fastjson <= 1.2.24
Run the following command to check the current version:
lsof | grep fastjson
How to fix or mitigate
Fastjson has released the latest version to fix the vulnerability. We recommend that you use one of the following methods to upgrade Fastjson to version 1.2.28 or later:
Upgrade Fastjson to the latest version through Maven dependency configuration update.
Download and install the latest version. The download address is http://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.28/.
Enable Alibaba Cloud Security WAF. If you cannot upgrade Fastjson in a timely manner, you can use Alibaba Cloud Security WAF for automatic protection.