A high-severity security vulnerability in the popular Fastjson library was discovered that could be exploited to achieve remote code execution on the target system. Fastjson is a Java library that is used to convert Java Objects into their JSON representation and vice versa.
The vulnerability, tracked as CVE-2022-25845, relates to an issue of deserialization of untrusted data in a feature called “AutoType.” The AutoType feature, which is enabled by default in older versions of Fastjson, is designed to allow for dynamic code that will automatically be induced as a class based on the input JSON object. If the deserialized JSON is user-controlled, however, the AutoType parsing can allow an attacker to instantiate any class available on the Classpath and feed arbitrary arguments along with it, allowing for potential remote code execution on the system.
The maintainers of Fastjson have released a patch for this vulnerability to fully remediate the issue. The vulnerability can also be mitigated prior to patching by enabling Fastjson’s “Safe Mode” feature.
Analyst Notes
For any Java applications that use the Fastjson library, it is highly recommended to upgrade to at least version 1.2.83 of Fastjson, which contains the patch for CVE-2022-25845. For any systems that cannot be patched immediately, it is recommended to enable Safe Mode within the library. This can be done in any of the three following ways:
1. Via code –
ParserConfig.getGlobalInstance().setSafeMode(true);
2. Via JVM startup parameters –
-Dfastjson.parser.safeMode=true
3. Via Fastjson’s properties file –
fastjson.parser.safeMode=true
Finally, active exploitation of this vulnerability can be monitored for and alerted upon for organizations that currently use the Fastjson library. This can be achieved by monitoring for abnormal behavior, such as suspicious child process execution or abnormal file read and write activity, stemming from the Java process involving the Fastjson library. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.
https://thehackernews.com/2022/06/high-severity-rce-vulnerability.html
CVE-2022-25845 – Analyzing the Fastjson “Auto Type Bypass” RCE vulnerability
