Associated Vulnerability
Title:Fastjson 代码问题漏洞 (CVE-2022-25845)Description:Fastjson是一款基于Java的快速JSON解析器/生成器。 Fastjson 1.2.83 之前版本存在安全漏洞,该漏洞源于容易绕过默认的 autoType 关闭限制来反序列化不受信任的数据,攻击者利用该漏洞可以攻击远程服务器。
Description
a scenario based on CVE-2022-25845 yielding a TP for metadata based SCA but a FN if the callgraph is used
Readme
## json.org CVE-2022-45688 true & false positive (WTF ??)
The project contains a [fastjson](https://mvnrepository.com/artifact/com.alibaba/fastjson/1.2.80) dependency with [CVE-2022-25845](https://nvd.nist.gov/vuln/detail/CVE-2022-25845).
The vulnerability occurs as markup in JSON is interpreted as Java beans, i.e. classes are instantiated and properties are
set by executing setter methods. This is done using reflection. If a class is in the classpath where setters
can trigger behaviour like executing code (in the example, this class is `Trigger`, the respective input is `CVE-2022-25845.json`), then this can be exploited.
The interesting part is the use of reflection here, as shown in the below stacktrace from running the included test used to demonstrate the
vulnerability.
```java
setName:11, Trigger
invoke0:-1, NativeMethodAccessorImpl (jdk.internal.reflect)
invoke:62, NativeMethodAccessorImpl (jdk.internal.reflect) [2]
invoke:43, DelegatingMethodAccessorImpl (jdk.internal.reflect)
invoke:566, Method (java.lang.reflect)
setValue:167, FieldDeserializer (com.alibaba.fastjson.parser.deserializer)
deserialze:155, ThrowableDeserializer (com.alibaba.fastjson.parser.deserializer)
parseObject:405, DefaultJSONParser (com.alibaba.fastjson.parser)
parse:1430, DefaultJSONParser (com.alibaba.fastjson.parser)
parse:1390, DefaultJSONParser (com.alibaba.fastjson.parser)
parse:181, JSON (com.alibaba.fastjson)
parse:191, JSON (com.alibaba.fastjson)
parse:147, JSON (com.alibaba.fastjson)
main:18, CheckJSON (scabench)
confirmCVE202225845:39, ConfirmVulnerabilitiesTests (scabench)
```
Standard meta-data based SCA have no problem identifying the vulnerability, this is "business-as-usual". However, callgraph based tools
are likely to miss it as callgraph constructions generally fail to model reflective calls. In this sense, this is
both a true positive and a false negative, depending on the analyses being used.
Note that there is a proof-of-vulnerability test to demonstrate the vulnerability, this test (and therefore the build with `mvn test`)
fails. See [https://github.com/scabench/jsonorg-tp1](https://github.com/scabench/jsonorg-tp1) for how the test works.
### Running Software Composition Analyses
There are several sh scripts to run different analyses, result resports can be found in `scan-results`.
### Generating the SBOM
The `pom.xml` has a plugin to generate a [SBOM](https://www.cisa.gov/sbom) in [CycloneDX](https://cyclonedx.org/) format.
To do this, run `mvn cyclonedx:makePackageBom`, the SBOM can be found in
`target/` in `json` and `xml` format.
File Snapshot
[4.0K] /data/pocs/c7484a6242e754103ca275e3ffbc8ec8cdca8d17
├── [ 81] CVE-2022-25845.json
├── [ 11K] LICENSE
├── [2.6K] pom.xml
├── [2.5K] README.md
├── [ 452] run-owasp.sh
├── [ 261] run-snyk.sh
├── [4.0K] scan-results
│ ├── [4.0K] dependency-check
│ │ └── [ 17K] dependency-check-report.json
│ └── [4.0K] snyk
│ └── [7.7K] snyk-report.json
└── [4.0K] src
├── [4.0K] main
│ └── [4.0K] java
│ ├── [4.0K] scabench
│ │ └── [ 610] CheckJSON.java
│ └── [ 455] Trigger.java
└── [4.0K] test
└── [4.0K] java
└── [4.0K] scabench
└── [1.3K] ConfirmVulnerabilitiesTests.java
10 directories, 11 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.