A patched high-severity security vulnerability in the popular Fastjson library that could be potentially exploited to achieve remote code execution. According to several publications, this vulnerability allows an attacker to bypass the “AutoTypeCheck” mechanism in Fastjson and achieve remote code execution.

This Fastjson vulnerability recently received a CVE identifier – CVE-2022-25845, and a high CVSS – 8.1.

What is Fastjson?

Fastjson is a Java library that’s used to convert Java Objects into their JSON representation and vice versa. AutoType, the function vulnerable to the flaw, is enabled by default and is designed to specify a custom type when parsing a JSON input that can be deserialized into an object of the appropriate class.

Who is affected?

This vulnerability affects all Java applications that rely on Fastjson versions 1.2.80 or earlier and that pass user-controlled data to either the JSON.parse or JSON.parseObject APIs without specifying a specific class to deserialize.

Serialization is a process of converting an object into a sequence of bytes that can be persisted to a disk or database or can be sent through streams, which is commonly used for communication (sharing objects between multiple hosts) and persistence (storing the object state in a file or a database). The reverse process of creating objects from a sequence of bytes is called deserialization.

If the deserialized JSON is user-controlled, parsing it with AutoType enabled can lead to a deserialization security issue, since the attacker can instantiate any class that’s available on the Classpath, and feed its constructor with arbitrary arguments.

If Fastjson before the version 1.2.69 with autoType enabled is in use and the payload is parsed, it instantiates the JDK class javax.swing.JEditorPane and calls its setPage method, which in turn makes a simple HTTP GET request to the URL specified.

Just because autoType was not enabled didn’t mean that no classes could be instantiated. It just meant you couldn’t instantiate most classes.

When we look at what happens after we call parse on the com.alibaba.fastjson.JSON class we see the following behavior: At one time both our types java. lang.Exception and java. lang.RuntimeException has to go through the checkAutoType in the ParserConfig class, where the over 200(!) lines long checkAutoType method checks the following things:

  • whether the safe mode is enabled
  • whether the type name is shorter or equal to 192 chars and at least 3 characters long
  • whether the fnv1a_64-hash of our type name is in the INTERNAL_WHITELIST_HASHCODES array
  • whether the fnv1a_64-hash of our type name is in the internalDenyHashCodes array
  • Depending on which configuration flags were enabled it would also check against the denyHashCodes array

Remember: These steps above happen, despite not having autoType enabled.

Therefore, the developers of Fastjson opted to disable AutoType by default, which should make parsing arbitrary JSON data safe.

Here, we can see a list of classes that are blacklisted and therefore cannot be instantiated by the AutoType mechanism:

  • java.lang.Object
  • java.io.Serializable
  • java.lang.Cloneable
  • java.lang.Runnable
  • java.lang.AutoCloseable
  • java.io.Closeable
  • java.lang.Iterable
  • java.util.Collection
  • java.lang.Readable
  • java.util.EventListener

You can see more blacklisted classes in fastjson-blacklist, a repository that maintains a list of blacklisted hashes that were added to Fastjson.

Tools to find CVE-2022-25845

  1. Jfrog Xray SCA (Software Composition Analysis)

JFrog’s contextual analysis engine can detect Java binary artifacts that pass non-constant input to the APIs vulnerable to this issue (parse and parse Object).

How can CVE-2022-25845 be exploited?

Let us examine the real-world viability of a published exploit that supposedly achieves remote code execution.

An exploit that was published by YoungBear runs an arbitrary OS command by supplying this JSON:

When deserializing the JSON excerpt above, the Poc20220523 the class gets created, and the supplied name the argument is assigned through the automatic setter.

As shown, this will end up calling the malicious setName() setter function with str = “calc”:

Which will run the payload (opening the Windows Calculator):

This exploit is obviously just a demonstration since no reasonable Java application will contain an exception-derived class similar to Poc20220523, which immediately runs shell commands based on an external argument.

How can CVE-2022-25845 be remediated?

To fully remediate CVE-2022-25845, we recommend upgrading Fastjson to the latest version, which is currently 1.2.83.

If upgrading is not possible, you can enable safe mode.

How can CVE-2022-25845 be mitigated?

Enabling Fastjson’s “Safe Mode” mitigates this vulnerability.

Safe Mode can be enabled by performing any of the following –

  1. Via code –
    ParserConfig.getGlobalInstance().setSafeMode(true);
  2.  Via JVM startup parameters –
    -Dfastjson.parser.safeMode=true
  3. Via Fastjson’s properties file –
    fastjson.parser.safeMode=true

Reference: https://jfrog.com/blog/cve-2022-25845-analyzing-the-fastjson-auto-type-bypass-rce-vulnerability/