You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@rocketmq.apache.org by GitBox <gi...@apache.org> on 2022/05/23 08:09:24 UTC

[GitHub] [rocketmq] iamqq23ue opened a new issue, #4360: Does RocketMQ support -Dfastjson.parser.safeMode=true to circumvent fastjson vulnerability?

iamqq23ue opened a new issue, #4360:
URL: https://github.com/apache/rocketmq/issues/4360

   version:4.9.1
   fastjson1.2.80 reported a deserialization vulnerability again. I would like to ask if it is possible to set -Dfastjson.parser.safeMode=true to circumvent this vulnerability.
   Can Rocketmq support safemode?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [rocketmq] Stone305585 commented on issue #4360: Does RocketMQ support -Dfastjson.parser.safeMode=true to circumvent fastjson vulnerability?

Posted by GitBox <gi...@apache.org>.

Stone305585 commented on issue #4360:
URL: https://github.com/apache/rocketmq/issues/4360#issuecomment-1137471389

   +1
   that's what i want to know


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [rocketmq] iamqq23ue commented on issue #4360: Does RocketMQ support -Dfastjson.parser.safeMode=true to circumvent fastjson vulnerability?

Posted by GitBox <gi...@apache.org>.

iamqq23ue commented on issue #4360:
URL: https://github.com/apache/rocketmq/issues/4360#issuecomment-1136672420

   @odbozhou thanks for the reply. Setting -Dfastjson.parser.safeMode=true should circumvent security holes. 
   
   What I want to know is, will it cause compatibility issues with rocketmq?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [rocketmq] iamqq23ue commented on issue #4360: Does RocketMQ support -Dfastjson.parser.safeMode=true to circumvent fastjson vulnerability?

Posted by GitBox <gi...@apache.org>.

iamqq23ue commented on issue #4360:
URL: https://github.com/apache/rocketmq/issues/4360#issuecomment-1138554298

   > > @odbozhou thanks for the reply. Setting -Dfastjson.parser.safeMode=true should circumvent security holes.
   > > What I want to know is, will it cause compatibility issues with rocketmq?
   > 
   > Yes, that's the key point. We are not sure wheather rocketmq use autoType fearure. The most reliable way is upgrade the dependency jar file.
   > 
   > https://github.com/alibaba/fastjson/wiki/security_update_20220523#32-safemode%E5%8A%A0%E5%9B%BA
   
   upgrade the dependency jar file  also may have compatibility issues.And in the future, fastjson may still have security breach that need to be upgraded.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [rocketmq] odbozhou commented on issue #4360: Does RocketMQ support -Dfastjson.parser.safeMode=true to circumvent fastjson vulnerability?

Posted by GitBox <gi...@apache.org>.

odbozhou commented on issue #4360:
URL: https://github.com/apache/rocketmq/issues/4360#issuecomment-1136670782

   Fastjson 1.2.68 and above version support
   -Dfastjson.parser.safeMode=true Security hardening.
   The fastjson version currently used by rocketmq 4.9.1 is 1.2.76
   Therefore, this method is supported for security reinforcement.
    You can do security reinforcement according to the instructions and precautions in the official fastjson document.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [rocketmq] sunxi92 commented on issue #4360: Does RocketMQ support -Dfastjson.parser.safeMode=true to circumvent fastjson vulnerability?

Posted by GitBox <gi...@apache.org>.

sunxi92 commented on issue #4360:
URL: https://github.com/apache/rocketmq/issues/4360#issuecomment-1135309872

   fastjson security_update_20220523:https://github.com/alibaba/fastjson/wiki/security_update_20220523
   fastjson_safemode:https://github.com/alibaba/fastjson/wiki/fastjson_safemode
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [rocketmq] odbozhou commented on issue #4360: Does RocketMQ support -Dfastjson.parser.safeMode=true to circumvent fastjson vulnerability?

Posted by GitBox <gi...@apache.org>.

odbozhou commented on issue #4360:
URL: https://github.com/apache/rocketmq/issues/4360#issuecomment-1139391095

   The use of autoType was not found. The latest code has been upgraded to fastjson to 1.2.83, and no compatibility has been found yet.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [rocketmq] inkinworld commented on issue #4360: Does RocketMQ support -Dfastjson.parser.safeMode=true to circumvent fastjson vulnerability?

Posted by GitBox <gi...@apache.org>.

inkinworld commented on issue #4360:
URL: https://github.com/apache/rocketmq/issues/4360#issuecomment-1138540309

   > @odbozhou thanks for the reply. Setting -Dfastjson.parser.safeMode=true should circumvent security holes.
   > 
   > What I want to know is, will it cause compatibility issues with rocketmq?
   
   Yes, that's the key point. We are not sure wheather rocketmq use autoType fearure.
   The most reliable way is upgrade the dependency jar file.
   
   https://github.com/alibaba/fastjson/wiki/security_update_20220523#32-safemode%E5%8A%A0%E5%9B%BA 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [rocketmq] github-actions[bot] commented on issue #4360: Does RocketMQ support -Dfastjson.parser.safeMode=true to circumvent fastjson vulnerability?

Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.

github-actions[bot] commented on issue #4360:
URL: https://github.com/apache/rocketmq/issues/4360#issuecomment-1565751055

   This issue is stale because it has been open for 365 days with no activity. It will be closed in 3 days if no further activity occurs.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@rocketmq.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [rocketmq] github-actions[bot] commented on issue #4360: Does RocketMQ support -Dfastjson.parser.safeMode=true to circumvent fastjson vulnerability?

Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.

github-actions[bot] commented on issue #4360:
URL: https://github.com/apache/rocketmq/issues/4360#issuecomment-1571126657

   This issue was closed because it has been inactive for 3 days since being marked as stale.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@rocketmq.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [rocketmq] github-actions[bot] closed issue #4360: Does RocketMQ support -Dfastjson.parser.safeMode=true to circumvent fastjson vulnerability?

Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.

github-actions[bot] closed issue #4360: Does RocketMQ support -Dfastjson.parser.safeMode=true  to circumvent fastjson vulnerability?
URL: https://github.com/apache/rocketmq/issues/4360


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@rocketmq.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org