Share This:

A new version of FastJson has been released and has patched a vulnerability which allows malicious actors to utilize “AutoTypeCheck” mechanism and achieve remote code execution in FastJson. All Java applications that pass user-controlled data to either the JSON.parse or JSON.parseObject APIs without specifying a specific class to deserialize, are affected.

What is the threat?

The new version of FastJson addresses the vulnerability CVE-2022-25845, which allows remote code execution under specific conditions. If the deserialized JSON is user-controlled, parsing it with AutoType enabled can lead to malicious actors instantiating any class that’s available on the Classpath, and feed its constructor with arbitrary arguments. However, FastJson will deserialize arbitrary classes if the target class extends the throwable class.

Why is it noteworthy?

A public proof of concept exploit exists, and the potential impact is very high due to passing untrusted input to specific vulnerable APIs. Totality of the Java gadget classes that can utilize this vulnerability have not been explored. With that being said, the malicious actors need to research finding a suitable gadget (loaded in the Classpath), that extends throwable and would contain relevant information that a malicious actor can utilize.

What is the exposure or risk?

Due to the vast number of gadgets in Java libraries and the extensive research that must be done, security researchers have concluded that this is unlikely due to the very specific gadget class that must be utilized. With that being said, the NIST gave this a score of 9.8 Critical since there still is a potential for undiscovered gadget classes that the malicious actors can utilize to gain privileges, run arbitrary code, or download sensitive information.

What are the recommendations?

Barracuda MSP recommends the following actions to remediate and mitigate FastJson vulnerability:

  • Remediate by updating to the latest version 1.2.83
  • Mitigate by enabling “Safe Mode”.
    Code – ParserConfig.getGlobalInstance().setSafeMode(true);
    JVM startup parameters – -Dfastjson.parser.safeMode=true
    Fastjson’s properties file – fastjson.parser.safeMode=true

References

For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.


Share This:

Posted by Morgan Pratt

Morgan Pratt is a Content Marketing Associate at Barracuda MSP. In her role, Morgan creates and shares education and enablement materials built with today's MSPs in mind. She recently became the primary copyeditor on SmarterMSP.com and enjoys working with our growing roster of contributing writers as well as MSPs themselves. Morgan has significant experience managing social media accounts for SMB clients as well as developing marketing campaigns and content.

Leave a reply

Your email address will not be published.