Fastjson DoS Vulnerability

On September 3, 2019, the Huawei Cloud security team detected a DoS vulnerability in multiple versions of the widely used open-source component Fastjson. An attacker can exploit this vulnerability to construct malicious requests and send them to the server that uses Fastjson. As a result, the memory and CPU of the server are used up, and the server breaks down, causing service breakdown. Huawei Cloud WAF provides protection against this vulnerability.

Affected Versions

Fastjson earlier than 1.2.60

Mitigation Version

Fastjson 1.2.60

Official Solution

Upgrade the open-source component Fastjson to 1.2.60.

Mitigation

WAF can detect and defend against this vulnerability. The procedure is as follows:

Buy WAF.
Add the website domain name to WAF and resolve it to WAF. For details, see Connecting Your Website to WAF (Cloud Mode - CNAME Access).
In the Basic Web Protection configuration area, set the protective action to Block. For details, see Configuring Basic Web Protection Rules.

Protection Verification

After the preceding configurations are complete, simulate a Fastjson DoS vulnerability exploit. Then, go to the WAF console, choose Events in the navigation pane on the left, and check whether the request has been blocked.

Parent topic: Mitigating Web Security Vulnerabilities

Previous topic: Apache Dubbo Deserialization Vulnerability

Next topic: Fastjson Remote Code Execution Vulnerability