Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

upgrade fastjson to 1.2.70 #6255

Merged
merged 1 commit into from Jun 1, 2020
Merged

upgrade fastjson to 1.2.70 #6255

merged 1 commit into from Jun 1, 2020

Conversation

qixiaobo
Copy link
Contributor

@qixiaobo qixiaobo commented Jun 1, 2020

https://help.aliyun.com/noticelist/articleid/1060343604.html?spm=a2c4g.789004748.n2.6.3f576141SGmGhG

漏洞描述

fastjson采用黑白名单的方法来防御反序列化漏洞,导致当黑客不断发掘新的反序列化Gadgets类时,在autoType关闭的情况下仍然可能可以绕过黑白名单防御机制,造成远程命令执行漏洞。经研究,该漏洞利用门槛较低,可绕过autoType限制,风险影响较大。阿里云应急响应中心提醒fastjson用户尽快采取安全措施阻止漏洞攻击。

影响版本

fastjson <=1.2.68

fastjson sec版本 <= sec9

安全版本

fastjson >=1.2.69

fastjson sec版本 >= sec10

@qixiaobo
upgrade fastjson to 1.2.70
2b88707 
https://help.aliyun.com/noticelist/articleid/1060343604.html?spm=a2c4g.789004748.n2.6.3f576141SGmGhG

漏洞描述

fastjson采用黑白名单的方法来防御反序列化漏洞,导致当黑客不断发掘新的反序列化Gadgets类时,在autoType关闭的情况下仍然可能可以绕过黑白名单防御机制,造成远程命令执行漏洞。经研究,该漏洞利用门槛较低,可绕过autoType限制,风险影响较大。阿里云应急响应中心提醒fastjson用户尽快采取安全措施阻止漏洞攻击。

影响版本

fastjson <=1.2.68

fastjson sec版本 <= sec9

安全版本

fastjson >=1.2.69

fastjson sec版本 >= sec10
@codecov-commenter
Copy link

Codecov Report

Merging #6255 into 2.6.x will decrease coverage by 0.05%.
The diff coverage is n/a.

Impacted file tree graph

@@             Coverage Diff              @@
##              2.6.x    #6255      +/-   ##
============================================
- Coverage     47.51%   47.46%   -0.06%     
+ Complexity     4615     4435     -180     
============================================
  Files           577      566      -11     
  Lines         26522    25227    -1295     
  Branches       4695     4467     -228     
============================================
- Hits          12602    11974     -628     
+ Misses        12002    11414     -588     
+ Partials       1918     1839      -79
Impacted Files Coverage Δ Complexity Δ
...ba/dubbo/remoting/transport/netty/NettyClient.java 72.88% <0.00%> (-8.48%) 12.00% <0.00%> (-1.00%)
...ubbo/rpc/protocol/dubbo/ChannelWrappedInvoker.java 41.66% <0.00%> (-8.34%) 3.00% <0.00%> (ø%)
...onfig/spring/extension/SpringExtensionFactory.java 75.67% <0.00%> (-8.11%) 9.00% <0.00%> (ø%)
...a/dubbo/remoting/transport/netty/NettyChannel.java 61.25% <0.00%> (-5.00%) 20.00% <0.00%> (-2.00%)
.../com/alibaba/dubbo/monitor/dubbo/DubboMonitor.java 87.85% <0.00%> (-2.81%) 15.00% <0.00%> (-1.00%)
...om/alibaba/dubbo/config/spring/AnnotationBean.java
.../main/java/com/alibaba/dubbo/common/json/JSON.java
...java/com/alibaba/dubbo/common/json/JSONObject.java
...main/java/com/alibaba/dubbo/common/json/Yylex.java
...java/com/alibaba/dubbo/common/json/J2oVisitor.java
... and 6 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 280d54c...2b88707. Read the comment docs.

@mercyblitz mercyblitz merged commit 59320a9 into apache:2.6.x Jun 1, 2020
Kvicii pushed a commit to Kvicii/dubbo that referenced this pull request Jun 6, 2020
Merge branch '2.6.x' of github.com:apache/dubbo into 2.6.x-read
d824897 
* '2.6.x' of github.com:apache/dubbo:
  upgrade fastjson to 1.2.70 (apache#6255)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@qixiaobo @codecov-commenter @mercyblitz