search cancel

Broadcom API Gateway - FASTJSON Remote Code Execution Vulnerability

book

Article ID: 242711

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

Fastjson is an open-source JSON library developed by Alibaba to parse JOSN strings. It can be used to serialize JavaBean into a JSON string and deserialize a JSON string to JavaBean. 

Can You advise do the Gateway used the fastjson library?

Environment

API Gateway 9.x/10.x

Cause

 

Fastjson 1.2.68 and before were reported to contain a remote code execution vulnerability that bypasses the autoType switch to implement deserialization of classes that contain security risks. Attackers could exploit this vulnerability to execute arbitrary code on the target machine.

Resolution

API Gateway do not use fastjson library, hence it is not affected

Additional Information

Security bulletin published by fastjson project team can be reviewed here