Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to analyze Fastjson remote denial of service vulnerabilities. The article is rich in content and analyzed and described from a professional point of view. I hope you can get something after reading this article.

I. Preface

Fastjson is Alibaba's open source JSON parsing library, which can parse strings in JSON format, support serialization of JavaBean into JSON strings, and deserialize from JSON strings to JavaBean.

Second, brief introduction of loopholes

There is a string parsing exception below Fastjson version 1.2.60.

Third, loophole harm

The Douxiang Security Emergency response team has analyzed that there is a remote denial of service vulnerability in several versions of Fastjson, and there is a string parsing exception below version 1.2.60 of Fastjson, which can lead to a remote denial of service attack. An attacker can cause a remote denial of service attack on a server using Fastjson through a specially crafted request packet, which can lead to server downtime.

IV. Scope of influence

Product

Fastjson

Version

Version 1.2.60 below

module

Fastjson

V. recurrence of loopholes

Local testing found that this vulnerability could lead to server CPU/RAM overload and server downtime.

VI. Restoration plan

1. Upgrade Fastjson to version 1.2.60

2. It is recommended to use Jackson or Gson whenever possible.

The above is how to parse the Fastjson remote denial of service vulnerability shared by the editor. If you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.