Struts2 It is known as the king of loopholes in the industry ,Fastjson Not to be outdone recently , A lot of loopholes have been exposed in succession , I'm so scared that old programmers like me don't dare to use it ! Fighting for strength ,F
astjson not pass on to others what one is called upon to do !
0x00 Vulnerability background
2019 year 9 month 5 day ,fastjson stay commit
995845170527221ca0293cf290e33a7d6cb52bf7 Was submitted to fix when the string contains \x May be raised when escaping a character OOM Fix the problem of .
360CERT Judge whether the vulnerability is in danger . The influence area is large . An attacker can cause the current thread to crash by sending a constructed request , When too many malicious requests are sent, the business may be paralyzed directly .
It is suggested that the majority of users should pay attention to their own business / Self inspection of product components , confirm fastjson Version upgrade to at least 1.2.60
0x01 Vulnerability details
The key point of vulnerability lies in com.alibaba.fastjson.parser.JSONLexerBase#scanString in , When the json String ,fastjson Get by bit json character string , When the string is recognized as \x At the beginning of , The last two characters are retrieved by default , And the last two characters are compared with \x Concatenation converts it into a complete hexadecimal character ：
And when json The string is based on \x At the end , because fastjson It was not verified , Will cause it to continue trying to get the last two characters . That is to say, it will be obtained directly \u001A that is EOF：
When fastjson When parsing backward again , It will be repeatedly obtained EOF, And write it to memory , Until it triggers oom error ：
The final effect is ：
0x02 Impact version
fastjson < 1.2.60 edition
0x03 Repair suggestions
1.1.15~1.1.31 Version updated to 1.1.31.sec07 edition
1.1.32~1.1.33 Version updated to 1.1.33.sec06 edition
1.1.34 Version updated to 1.1.34.sec06 edition
1.1.35~1.1.46 Version updated to 1.1.46.sec06 edition
1.2.3~1.2.7 Version updated to 1.2.7.sec06 Version or 1.2.8.sec04 edition
1.2.8 Version updated to 1.2.8.sec06 edition
1.2.9~1.2.29 Version updated to 1.2.29.sec06 edition
2019-09-03 fastjson Submit patch commit
2019-09-05 360CERT Issue early warning
2019-09-07 Weekend overtime upgrade !
PS：jackson Several versions have been recently released to fix vulnerabilities .