Remote Code Execution Vulnerability of Fastjson
On July 12, 2019, the Emergency Response Center detected that the open-source component Fastjson had a remote code execution vulnerability. This vulnerability is an extension of the deserialization vulnerability of Fastjson 1.2.24 detected in 2017 and can be directly used to obtain server permissions, causing serious damage.
Affected Versions
Versions earlier than Fastjson 1.2.51
Mitigation Version
Fastjson 1.2.51 or later
Official Solution
Upgrade Fastjson to 1.2.51 or the latest 1.2.58 version.
Mitigation
The built-in protection rules of WAF can defend against this vulnerability. The procedure is as follows:
- Apply for a dedicated WAF instance.
- Add the website domain name to WAF and route website traffic to WAF.
- Cloud mode: Creating a Domain Name
- Dedicated mode: Step 1: Add a Website to WAF (Dedicated Mode)
- Set the mode of Basic Web Protection to Block. For details, see Configuring Basic Protection Rules to Defend Against Common Web Attacks.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
