FastJson versions vulnerable to deserialization

A new version of FastJson has been released and has patched a vulnerability which allows malicious actors to utilize “AutoTypeCheck” mechanism and achieve remote code execution in FastJson. All Java applications that pass user-controlled data to either the JSON.parse or JSON.parseObject APIs without specifying a specific class to deserialize, are affected.

Technical Detail and Additional Info

What Is The Threat?

The new version of FastJson addresses the vulnerability CVE-2022-25845, which allows remote code execution under specific conditions. If the deserialized JSON is user-controlled, parsing it with AutoType enabled can lead to malicious actors instantiating any class that’s available on the Classpath, and feed its constructor with arbitrary arguments. However, FastJson will deserialize arbitrary classes if the target class extends the throwable class.

Why Is It Noteworthy?

A public proof of concept exploit exists, and the potential impact is very high due to passing untrusted input to specific vulnerable APIs. Totality of the Java gadget classes that can utilize this vulnerability have not been explored. With that being said, the malicious actors need to research finding a suitable gadget (loaded in the Classpath), that extends throwable and would contain relevant information that a malicious actor can utilize.

What Is The Exposure Or Risk?

Due to the vast number of gadgets in Java libraries and the extensive research that must be done, security researchers have concluded that this is unlikely due to the very specific gadget class that must be utilized. With that being said, the NIST gave this a score of 9.8 Critical since there still is a potential for undiscovered gadget classes that the malicious actors can utilize to gain privileges, run arbitrary code, or download sensitive information.

What Are The Recommendations? 

happier IT recommends the following actions to remediate and mitigate FastJson vulnerability:

• Remediate by updating to the latest version 1.2.83

• Mitigate by enabling “Safe Mode”.

Code – ParserConfig.getGlobalInstance().setSafeMode(true);
JVM startup parameters – -Dfastjson.parser.safeMode=true
Fastjson’s properties file – fastjson.parser.safeMode=true

References

For more in-depth information about the recommendations, please visit the following links: 

• https://jfrog.com/blog/cve-2022-25845-analyzing-the-fastjson-auto-type-bypass-rce-vulnerability

• https://nvd.nist.gov/vuln/detail/CVE-2022-25845

• https://thehackernews.com/2022/06/high-severity-rce-vulnerability.html

• https://securityaffairs.co/wordpress/132333/security/fastjson-library-rce.html