Go to Qiita Advent Calendar 2024 Top

0

More than 3 years have passed since last update.

@shimizukawasaki(清水川崎)

[漏洞通告]Fastjson <= 1.2.68存在远程代码执行漏洞

FastJson

Last updated at 2020-06-29Posted at 2020-06-29

漏洞描述

近日,亚信安全网络攻防实验室跟踪到Fastjson <= 1.2.68存在远程代码执行漏洞.可在未开启autotype开关的情况下被利用,以至于可直接获取服务器权限.

漏洞编号

无

漏洞威胁等级

高危

影响范围

Fastjson <= 1.2.68

漏洞验证

修复建议

1.建议升级到官方最新版本
2.建议配置以下参数开启SafeMode来防护攻击：
ParserConfig.getGlobalInstance().setSafeMode(true);

注意:一旦开启`safeMode`会完全禁用`autotype`,无视白名单,可能会影响业务连续性.

时间轴

[0] 2020/05/18 腾讯云发布漏洞通告
[1] 2020/06/29 亚信安全网络攻防实验室分析&复现该漏洞并发布漏洞通告

Reference

0

Register as a new user and use Qiita more conveniently

You get articles that match your needs
You can efficiently read back useful information
You can use dark theme

What you can do with signing up

0