CVE-2018-12022: Deserialization vulnerability in jackson-databind (Maven)

What is CVE-2018-12022 About?

This vulnerability affects FasterXML jackson-databind when Default Typing is enabled, the Jodd-db jar is in the classpath, and an attacker can provide an LDAP service. It allows for remote code execution by exploiting polymorphic deserialization. Successful exploitation can lead to arbitrary code execution, and is moderately difficult, relying on several specific conditions.

Affected Software

com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.6
- <2.7.9.4
- >2.8.0, <2.8.11.2

Technical Details

The vulnerability in FasterXML jackson-databind arises from an insecure deserialization flaw specifically when 'Default Typing' is enabled. This feature allows Jackson to include type information in the JSON, which guides deserialization to the correct concrete class. When the Jodd-db jar, used for database access in the Jodd framework, is also present in the classpath, an attacker can leverage this. The Jodd-db dependency may introduce gadget chains that allow for arbitrary code execution during deserialization. By providing a specially crafted JSON payload that specifies a malicious class from the Jodd-db gadget chain and points to an attacker-controlled LDAP server, the deserialization process can be coerced into initiating an LDAP lookup. This LDAP lookup can then direct the victim's system to fetch and execute a malicious payload, resulting in remote code execution.

What is the Impact of CVE-2018-12022?

Successful exploitation may allow attackers to execute arbitrary code on the affected system, leading to full system compromise, data theft, or denial-of-service conditions.

What is the Exploitability of CVE-2018-12022?

Exploitation of this vulnerability requires several specific conditions to be met: Default Typing must be enabled in the jackson-databind configuration (either globally or for a specific property), the Jodd-db jar must be present in the application's classpath, and the attacker must be able to provide an LDAP service that the vulnerable application can reach. The attack is remote and typically requires no authentication, assuming the attacker can send a malicious JSON payload to a deserialization endpoint. The complexity is moderate to high due to the multiple prerequisites and the need to craft a specific deserialization payload and control an LDAP server. The presence of the Jodd-db library and enabled Default Typing are critical risk factors.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2018-12022?

A Fix by Resolved Security Exists!

See how we help you strengthen security with automated backported fixes for your libraries.

About the Fix from Resolved Security

This patch adds several potentially dangerous classes to the denylist within Jackson's SubTypeValidator, blocking their deserialization. By preventing these classes (which can trigger LDAP lookups or database connections) from being deserialized, the patch mitigates the insecure deserialization vulnerability in CVE-2018-12022, which allowed attackers to execute arbitrary code or establish outbound connections during deserialization.

Available Upgrade Options

com.fasterxml.jackson.core:jackson-databind
- <2.7.9.4 → Upgrade to 2.7.9.4
com.fasterxml.jackson.core:jackson-databind
- >2.8.0, <2.8.11.2 → Upgrade to 2.8.11.2
com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.6 → Upgrade to 2.9.6

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2018-12022?

Similar Vulnerabilities: CVE-2017-7525 , CVE-2017-7504 , CVE-2017-1000487 , CVE-2017-15095 , CVE-2018-7489

CVE-2018-12022 Deserialization vulnerability in jackson-databind (Maven)