Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

upgrade fastjson to 1.2.70 #6255

Merged
merged 1 commit into from Jun 1, 2020
Merged

upgrade fastjson to 1.2.70 #6255

merged 1 commit into from Jun 1, 2020

Commits on Jun 1, 2020

  1. upgrade fastjson to 1.2.70 

    https://help.aliyun.com/noticelist/articleid/1060343604.html?spm=a2c4g.789004748.n2.6.3f576141SGmGhG

漏洞描述

fastjson采用黑白名单的方法来防御反序列化漏洞,导致当黑客不断发掘新的反序列化Gadgets类时,在autoType关闭的情况下仍然可能可以绕过黑白名单防御机制,造成远程命令执行漏洞。经研究,该漏洞利用门槛较低,可绕过autoType限制,风险影响较大。阿里云应急响应中心提醒fastjson用户尽快采取安全措施阻止漏洞攻击。

影响版本

fastjson <=1.2.68

fastjson sec版本 <= sec9

安全版本

fastjson >=1.2.69

fastjson sec版本 >= sec10
    @qixiaobo
    qixiaobo committed Jun 1, 2020
    Copy the full SHA
    2b88707 View commit details
    Browse the repository at this point in the history