[Alert] Remote Code Execution Vulnerability of Fastjson Versions Earlier than 1.2.51
Jul 11, 2019 GMT+08:00
Recently, HUAWEI CLOUD has noticed that fastjson has the deserialization vulnerability for remote code execution, which may cause direct access to the server. This vulnerability, a serious threat, is extended exploitation of the deserialization vulnerability found in fastjson 1.2.24 in 2017. This vulnerability affects fastjson versions earlier than 1.2.51. If your fastjson version falls within the affected versions, upgrade it to a secure version.
Official notice: https://github.com/alibaba/fastjson/wiki/update_faq_20190722
(Severity: low, moderate, important, and critical)
III. Affected Products
Fastjson versions earlier than 1.2.51 are affected.
Fastjson 1.2.51 and later versions are secure.
Solution 1: Upgrade fastjson to the latest version 1.2.58, which is available at the following download address https://github.com/alibaba/fastjson/releases/tag/1.2.58
Solution 2: Uninstall fastjson. If you need to use the JSON parsing library, you can instead use the latest versions of gson or jackson-databind.
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.