preface

On March 19, 2020, Fastjson released version 1.2.67, with the title “Bug fix security Hardening Add-on”. This is yet another Bug fix security hardening version that enhances the autoType blacklist.

What is an AutoType security blacklist?

In March 2020, Fastjson revealed a major security vulnerability for remote code execution. Once remote code can be run on the server, there are a number of security issues. Two measures have been taken to address this vulnerability:

  • The Autotype function is disabled by default
  • If autoType is enabled, the blacklist is enabled to block illegal code.

However, it turns out that even if the blacklist is enabled, you can bypass the blacklist by changing the relevant class name to execute remote code. In response, Fastjson has been supplementing the AutoType blacklist.

The rest of the release history can be found at github.com/alibaba/fas…

So far, the autotype blacklist has not been completed. Recently, some classes have not been added to the blacklist:

If you find new classes that need to be blacklisted, you can also raise issues with the authorities.

So did your company fall for it again? Report it to your safety engineer!

Welfare delivery area

Scan the qr code below to follow the public account
Click on the menu bar for the free 49-part Dubbo source Code series