Fastjson Remote Code Execution Vulnerability

On July 12, 2019, the Emergency Response Center detected that the open-source component Fastjson had a remote code execution vulnerability. This vulnerability is an extension of the deserialization vulnerability of Fastjson 1.2.24 detected in 2017 and can be directly used to obtain server permissions, causing serious damage.

Affected Versions

Versions earlier than Fastjson 1.2.51

Mitigation Version

Fastjson 1.2.51 or later

Official Solution

Upgrade Fastjson to 1.2.51 or the latest 1.2.58 version.

Mitigation

The built-in protection rules of Huawei Cloud WAF can defend against this vulnerability. The procedure is as follows:

Buy WAF.
Add the website domain name to WAF and resolve it to WAF. For details, see Connecting Your Website to WAF (Cloud Mode - CNAME Access).
In the Basic Web Protection configuration area, set the protective action to Block. For details, see Configuring Basic Web Protection Rules.

Protection Verification

After the preceding configurations are complete, simulate a Fastjson remote code execution vulnerability exploit. Then, go to the WAF console, choose Events in the navigation pane on the left, and check whether the request has been blocked.

Parent topic: Mitigating Web Security Vulnerabilities

Previous topic: Fastjson DoS Vulnerability

Next topic: Oracle WebLogic wls9-async Deserialization Remote Command Execution Vulnerability (CNVD-C-2019-48814)