search cancel

Broadcom API Portal - FASTJSON Remote Code Execution Vulnerability

book

Article ID: 242713

calendar_today

Updated On:

Products

CA API Developer Portal

Issue/Introduction

Fastjson is an open-source JSON library developed by Alibaba to parse JOSN strings. It can be used to serialize JavaBean into a JSON string and deserialize a JSON string to JavaBean. 

Can You advise do the API Portal use the fastjson library?

Environment

API portal 4.x/5.x

Cause

Fastjson 1.2.68 and before were reported to contain a remote code execution vulnerability that bypasses the autoType switch to implement deserialization of classes that contain security risks. Attackers could exploit this vulnerability to execute arbitrary code on the target machine.

Resolution

API Portal do not use fastjson library, hence is not affected