Service Notices

All Notices > Security Notices > [Alert] Remote Code Execution Vulnerability of Fastjson Versions Earlier than 1.2.51

[Alert] Remote Code Execution Vulnerability of Fastjson Versions Earlier than 1.2.51

Jul 11, 2019 GMT+08:00

I. Overview

Recently, HUAWEI CLOUD has noticed that fastjson has the deserialization vulnerability for remote code execution, which may cause direct access to the server. This vulnerability, a serious threat, is extended exploitation of the deserialization vulnerability found in fastjson 1.2.24 in 2017. This vulnerability affects fastjson versions earlier than 1.2.51. If your fastjson version falls within the affected versions, upgrade it to a secure version.

Official notice: https://github.com/alibaba/fastjson/wiki/update_faq_20190722

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Fastjson versions earlier than 1.2.51 are affected.

Fastjson 1.2.51 and later versions are secure.

IV: Workarounds

Solution 1: Upgrade fastjson to the latest version 1.2.58, which is available at the following download address https://github.com/alibaba/fastjson/releases/tag/1.2.58

Solution 2: Uninstall fastjson. If you need to use the JSON parsing library, you can instead use the latest versions of gson or jackson-databind.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.