Service Notices
Fastjson Remote DoS Vulnerability
Sep 06, 2019 GMT+08:00
I. Overview
The HUAWEI CLOUD security team has recently noticed that the remote denial of service (DoS) vulnerability exists in versions earlier than Fastjson 1.2.60. Fastjson fails to parse specific JSON character strings. An attacker can construct a request packet to initiate a remote DoS attack on servers that use the Fastjson. As a result, the CPU/RAM of the servers is overloaded, causing performance deterioration or server breakdown.
Reference link:
https://github.com/alibaba/fastjson/pull/2692
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. Affected Products
Affected versions:
Fastjson versions earlier than 1.2.60
or Fastjson sec versions earlier than sec06
Secure versions:
Fastjson 1.2.60 and later
or Fastjson sec06 and later
IV: Workarounds
Upgrade Fastjson to a secure version. Download address: http://repo1.maven.org/maven2/com/alibaba/fastjson/
HUAWEI CLOUD WAF can detect this vulnerability by default. You can enable the mode of basic web protection to implement defense. For details about the configuration, see
https://support.huaweicloud.com/intl/en-us/usermanual-waf/waf_01_0008.html
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.