Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fastjson < 1.2.51 远程代码执行漏洞,麻烦更新一下otter #801

Closed
elefaint opened this issue Aug 7, 2019 · 0 comments
Closed

Comments

@elefaint
Copy link
Contributor

elefaint commented Aug 7, 2019

应急漏洞10 个月前fastjson < 1.2.51 远程代码执行漏洞close
近日,阿里云应急响应中心监测到fastjson爆出远程代码执行漏洞,可导致直接获取服务器权限,官方已发布公告说明,影响版本 < 1.2.51,请使用到的用户尽快升级至安全版本。
漏洞详情:https://help.aliyun.com/noticelist/articleid/1060026793.html
CVE

披露时间
2018年10月1日 00:00:18
CVSS

危险等级
高危
漏洞特征
远程代码执行
详情
fastjson < 1.2.51版本存在代码执行漏洞,当用户提交一个精心构造的恶意的序列化数据到服务器端时,fastjson在反序列化时存在漏洞,可导致远程任意代码执行。阿里云应急响应中心提醒fastjson用户尽快采取安全措施阻止漏洞攻击。
修复建议
根据官方漏洞公告提示升级fastjson组件:https://github.com/alibaba/fastjson/wiki/update_faq_20190722

注意:
fastjson漏洞检测规则是通过判定机器运行时的jar包中是否存在漏洞版本的fastjson组件,无法精准确认漏洞有效攻击面,实际是否真实受漏洞影响还需用户根据自身业务判断。

agapple added a commit that referenced this issue Aug 28, 2019
@agapple agapple closed this as completed Aug 28, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants