edit-icon download-icon

[Vulnerability notice] Remote code execution vulnerability in Fastjson

Last Updated: Apr 08, 2018

On March 15, 2017, Fastjson released a security publication, announcing a remote code execution vulnerability in Fastjson 1.2.24 and earlier versions. Attackers can exploit this vulnerability to remotely run code and consequently intrude the server. Fastjson has released the latest version to fix the vulnerability.

See the following for more information about the vulnerability.


CVE identifier

None

Vulnerability name

Remote code execution vulnerability in Fastjson

Vulnerability rating

High

Vulnerability description

A remote code execution vulnerability exists in Fastjson 1.2.24 and earlier versions. The submission of specially crafted serialized data to the server allows for remote execution of arbitrary code because of the vulnerability in the deserialization process of Fastjson.

Condition and method of exploitation

Hackers can exploit this vulnerability to run code remotely.

Affected scope

Fastjson <= 1.2.24

Vulnerability detection

Run the following command to check the current version:

  1. lsof | grep fastjson

How to fix or mitigate

  1. Fastjson has released the latest version to fix the vulnerability. We recommend that you use one of the following methods to upgrade Fastjson to version 1.2.28 or later:

    • Upgrade Fastjson to the latest version through Maven dependency configuration update.

      1. <dependency>
      2. <groupId>com.alibaba</groupId>
      3. <artifactId>fastjson</artifactId>
      4. <version>1.2.28</version>
      5. </dependency>
    • Download and install the latest version. The download address is http://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.28/.

  2. Enable Alibaba Cloud Security WAF. If you cannot upgrade Fastjson in a timely manner, you can use Alibaba Cloud Security WAF for automatic protection.

Reference

[1]. https://github.com/alibaba/fastjson/wiki/security_update_20170315

Thank you! We've received your feedback.