Struts2 It is known as the king of loopholes in the industry ,Fastjson Not to be outdone recently , A lot of loopholes have been exposed in succession , I'm so scared that old programmers like me don't dare to use it ! Fighting for strength ,F
astjson not pass on to others what one is called upon to do !

0x00 Vulnerability background

2019 year 9 month 5 day ,fastjson stay commit
995845170527221ca0293cf290e33a7d6cb52bf7 Was submitted to fix when the string contains \x May be raised when escaping a character OOM Fix the problem of .

360CERT Judge whether the vulnerability is in danger . The influence area is large . An attacker can cause the current thread to crash by sending a constructed request , When too many malicious requests are sent, the business may be paralyzed directly .

It is suggested that the majority of users should pay attention to their own business / Self inspection of product components , confirm fastjson Version upgrade to at least 1.2.60

0x01 Vulnerability details

The key point of vulnerability lies in com.alibaba.fastjson.parser.JSONLexerBase#scanString in , When the json String ,fastjson Get by bit json character string , When the string is recognized as \x At the beginning of , The last two characters are retrieved by default , And the last two characters are compared with \x Concatenation converts it into a complete hexadecimal character :

And when json The string is based on \x At the end , because fastjson It was not verified , Will cause it to continue trying to get the last two characters . That is to say, it will be obtained directly \u001A that is EOF:

When fastjson When parsing backward again , It will be repeatedly obtained EOF, And write it to memory , Until it triggers oom error :

The final effect is :

0x02 Impact version

fastjson < 1.2.60 edition

0x03 Repair suggestions

*
1.1.15~1.1.31 Version updated to 1.1.31.sec07 edition

*
1.1.32~1.1.33 Version updated to 1.1.33.sec06 edition

*
1.1.34 Version updated to 1.1.34.sec06 edition

*
1.1.35~1.1.46 Version updated to 1.1.46.sec06 edition

*
1.2.3~1.2.7 Version updated to 1.2.7.sec06 Version or 1.2.8.sec04 edition

*
1.2.8 Version updated to 1.2.8.sec06 edition

*
1.2.9~1.2.29 Version updated to 1.2.29.sec06 edition

0x04 Timeline

2019-09-03 fastjson Submit patch commit

2019-09-05 360CERT Issue early warning

2019-09-07  Weekend overtime upgrade !

PS:jackson Several versions have been recently released to fix vulnerabilities .

Technology
©2019-2020 Toolsou All rights reserved,
Conflict statement (conflicting declaration) solve Python read Excel A column | Transfer deposit jsoniPhone 12 price , Configure full exposure : Cut it off 64GB, Battery 2227mAh start mysql No backup recovery python obtain excel A column or row of data ( Essence )2020 year 6 month 26 day C# Class library read json Profile help class ( Essence )2020 year 7 month 30 day Wechat applet Use of modules SQL Server Database Glossary vue-countTo Complete operation org.postgresql.util.PSQLException Processing records