Skip to content

upgrade fastjson to 1.2.70#6255

Merged
mercyblitz merged 1 commit into
apache:2.6.xfrom
qixiaobo:upgrate-fastjson-1.2.70-for-2.6.x
Jun 1, 2020
Merged

upgrade fastjson to 1.2.70#6255
mercyblitz merged 1 commit into
apache:2.6.xfrom
qixiaobo:upgrate-fastjson-1.2.70-for-2.6.x

Conversation

@qixiaobo
Copy link
Copy Markdown
Contributor

@qixiaobo qixiaobo commented Jun 1, 2020

https://help.aliyun.com/noticelist/articleid/1060343604.html?spm=a2c4g.789004748.n2.6.3f576141SGmGhG

漏洞描述

fastjson采用黑白名单的方法来防御反序列化漏洞,导致当黑客不断发掘新的反序列化Gadgets类时,在autoType关闭的情况下仍然可能可以绕过黑白名单防御机制,造成远程命令执行漏洞。经研究,该漏洞利用门槛较低,可绕过autoType限制,风险影响较大。阿里云应急响应中心提醒fastjson用户尽快采取安全措施阻止漏洞攻击。

影响版本

fastjson <=1.2.68

fastjson sec版本 <= sec9

安全版本

fastjson >=1.2.69

fastjson sec版本 >= sec10

@qixiaobo
upgrade fastjson to 1.2.70
2b88707 
https://help.aliyun.com/noticelist/articleid/1060343604.html?spm=a2c4g.789004748.n2.6.3f576141SGmGhG

漏洞描述

fastjson采用黑白名单的方法来防御反序列化漏洞,导致当黑客不断发掘新的反序列化Gadgets类时,在autoType关闭的情况下仍然可能可以绕过黑白名单防御机制,造成远程命令执行漏洞。经研究,该漏洞利用门槛较低,可绕过autoType限制,风险影响较大。阿里云应急响应中心提醒fastjson用户尽快采取安全措施阻止漏洞攻击。

影响版本

fastjson <=1.2.68

fastjson sec版本 <= sec9

安全版本

fastjson >=1.2.69

fastjson sec版本 >= sec10
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Jun 1, 2020

Codecov Report

Merging #6255 into 2.6.x will decrease coverage by 0.05%.
The diff coverage is n/a.

Impacted file tree graph

@@             Coverage Diff              @@
##              2.6.x    #6255      +/-   ##
============================================
- Coverage     47.51%   47.46%   -0.06%     
+ Complexity     4615     4435     -180     
============================================
  Files           577      566      -11     
  Lines         26522    25227    -1295     
  Branches       4695     4467     -228     
============================================
- Hits          12602    11974     -628     
+ Misses        12002    11414     -588     
+ Partials       1918     1839      -79
Impacted Files Coverage Δ Complexity Δ
...ba/dubbo/remoting/transport/netty/NettyClient.java 72.88% <0.00%> (-8.48%) 12.00% <0.00%> (-1.00%)
...ubbo/rpc/protocol/dubbo/ChannelWrappedInvoker.java 41.66% <0.00%> (-8.34%) 3.00% <0.00%> (ø%)
...onfig/spring/extension/SpringExtensionFactory.java 75.67% <0.00%> (-8.11%) 9.00% <0.00%> (ø%)
...a/dubbo/remoting/transport/netty/NettyChannel.java 61.25% <0.00%> (-5.00%) 20.00% <0.00%> (-2.00%)
.../com/alibaba/dubbo/monitor/dubbo/DubboMonitor.java 87.85% <0.00%> (-2.81%) 15.00% <0.00%> (-1.00%)
...om/alibaba/dubbo/config/spring/AnnotationBean.java
.../main/java/com/alibaba/dubbo/common/json/JSON.java
...java/com/alibaba/dubbo/common/json/JSONObject.java
...main/java/com/alibaba/dubbo/common/json/Yylex.java
...java/com/alibaba/dubbo/common/json/J2oVisitor.java
... and 6 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 280d54c...2b88707. Read the comment docs.

@mercyblitz mercyblitz merged commit 59320a9 into apache:2.6.x Jun 1, 2020
Kvicii pushed a commit to Kvicii/dubbo that referenced this pull request Jun 6, 2020
Merge branch '2.6.x' of github.com:apache/dubbo into 2.6.x-read
d824897 
* '2.6.x' of github.com:apache/dubbo:
  upgrade fastjson to 1.2.70 (apache#6255)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@qixiaobo @codecov-commenter @mercyblitz