upgrade fastjson to 1.2.70 by qixiaobo · Pull Request #6254 · apache/dubbo

qixiaobo · 2020-06-01T04:48:20Z

https://help.aliyun.com/noticelist/articleid/1060343604.html?spm=a2c4g.789004748.n2.6.3f576141SGmGhG

漏洞描述

fastjson采用黑白名单的方法来防御反序列化漏洞，导致当黑客不断发掘新的反序列化Gadgets类时，在autoType关闭的情况下仍然可能可以绕过黑白名单防御机制，造成远程命令执行漏洞。经研究，该漏洞利用门槛较低，可绕过autoType限制，风险影响较大。阿里云应急响应中心提醒fastjson用户尽快采取安全措施阻止漏洞攻击。

影响版本

fastjson <=1.2.68

fastjson sec版本 <= sec9

安全版本

fastjson >=1.2.69

fastjson sec版本 >= sec10

https://help.aliyun.com/noticelist/articleid/1060343604.html?spm=a2c4g.789004748.n2.6.3f576141SGmGhG 漏洞描述 fastjson采用黑白名单的方法来防御反序列化漏洞，导致当黑客不断发掘新的反序列化Gadgets类时，在autoType关闭的情况下仍然可能可以绕过黑白名单防御机制，造成远程命令执行漏洞。经研究，该漏洞利用门槛较低，可绕过autoType限制，风险影响较大。阿里云应急响应中心提醒fastjson用户尽快采取安全措施阻止漏洞攻击。影响版本 fastjson <=1.2.68 fastjson sec版本 <= sec9 安全版本 fastjson >=1.2.69 fastjson sec版本 >= sec10

codecov-commenter · 2020-06-01T05:11:29Z

Codecov Report

Merging #6254 into master will decrease coverage by 0.04%.
The diff coverage is n/a.

@@             Coverage Diff              @@
##             master    #6254      +/-   ##
============================================
- Coverage     60.87%   60.83%   -0.05%     
+ Complexity      494      492       -2     
============================================
  Files           999      999              
  Lines         39933    39933              
  Branches       5752     5752              
============================================
- Hits          24308    24292      -16     
- Misses        12926    12934       +8     
- Partials       2699     2707       +8

Impacted Files	Coverage Δ	Complexity Δ
...ng/exchange/support/header/HeartbeatTimerTask.java	`73.68% <0.00%> (-5.27%)`	`0.00% <0.00%> (ø%)`
...mmon/threadpool/support/AbortPolicyWithReport.java	`85.00% <0.00%> (-5.00%)`	`0.00% <0.00%> (ø%)`
...e/dubbo/remoting/transport/netty/NettyChannel.java	`55.68% <0.00%> (-4.55%)`	`20.00% <0.00%> (-1.00%)`
...pache/dubbo/remoting/transport/AbstractServer.java	`53.75% <0.00%> (-3.75%)`	`0.00% <0.00%> (ø%)`
...he/dubbo/remoting/transport/netty/NettyServer.java	`70.17% <0.00%> (-3.51%)`	`8.00% <0.00%> (-1.00%)`
.../org/apache/dubbo/rpc/model/ServiceDescriptor.java	`88.23% <0.00%> (-2.95%)`	`0.00% <0.00%> (ø%)`
.../rpc/cluster/configurator/parser/ConfigParser.java	`85.84% <0.00%> (-1.77%)`	`0.00% <0.00%> (ø%)`
.../remoting/transport/netty4/NettyClientHandler.java	`57.62% <0.00%> (-1.70%)`	`0.00% <0.00%> (ø%)`
.../src/main/java/org/apache/dubbo/rpc/RpcStatus.java	`72.61% <0.00%> (-1.20%)`	`0.00% <0.00%> (ø%)`
...g/apache/dubbo/registry/consul/ConsulRegistry.java	`62.11% <0.00%> (-0.63%)`	`30.00% <0.00%> (ø%)`
... and 3 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5a827df...022734c. Read the comment docs.

lovepoem

LGTM

lovepoem approved these changes Jun 1, 2020

View reviewed changes

lovepoem merged commit fbe4d7e into apache:master Jun 1, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

upgrade fastjson to 1.2.70#6254

upgrade fastjson to 1.2.70#6254
lovepoem merged 1 commit intoapache:masterfrom
qixiaobo:upgrate-fastjson-1.2.70-for-2.7.x

qixiaobo commented Jun 1, 2020

Uh oh!

codecov-commenter commented Jun 1, 2020 •

edited

Loading

Uh oh!

lovepoem left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

qixiaobo commented Jun 1, 2020

漏洞描述

影响版本

安全版本

Uh oh!

codecov-commenter commented Jun 1, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

lovepoem left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

codecov-commenter commented Jun 1, 2020 •

edited

Loading