Security News > 2022 > June > High-Severity RCE Vulnerability Reported in Popular Fastjson Library
Cybersecurity researchers have detailed a recently patched high-severity security vulnerability in the popular Fastjson library that could be potentially exploited to achieve remote code execution.
"This vulnerability affects all Java applications that rely on Fastjson versions 1.2.80 or earlier and that pass user-controlled data to either the JSON.parse or JSON.parseObject APIs without specifying a specific class to deserialize," JFrog's Uriya Yavnieli said in a write-up.
Fastjson is a Java library that's used to convert Java Objects into their JSON representation and vice versa.
While the project owners previously introduced a safeMode that disables AutoType and started maintaining a blocklist of classes to defend against deserialization flaws, the newly discovered flaw gets around the latter of these restrictions to result in remote code execution.
Users of Fastjson are recommended to update to version 1.2.83 or enable safeMode, which turns off the function regardless of the allowlist and blocklist used, effectively closing variants of the deserialization attack.
"Although a public PoC exploit exists and the potential impact is very high the conditions for the attack are not trivial and most importantly - target-specific research is required to find a suitable gadget class to exploit," Yavnieli said.
News URL
https://thehackernews.com/2022/06/high-severity-rce-vulnerability.html
Related news
- Critical Zimbra RCE vulnerability under mass exploitation (CVE-2024-45519) (source)
- Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast (source)
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- Palo Alto Networks warns of potential PAN-OS RCE vulnerability (source)