CVE-2018-14718
Code Execution vulnerability in jackson-databind (Maven)
What is CVE-2018-14718 About?
FasterXML jackson-databind versions 2.x before 2.9.7, 2.8.11.3, 2.7.9.5, and 2.6.7.3 allow remote attackers to execute arbitrary code. This is due to a failure to block the `slf4j-ext` class from polymorphic deserialization. Exploitation can be achieved by leveraging specific deserialization gadgets.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.7
- >2.0.0, <2.6.7.3
- >2.8.0, <2.8.11.3
- >2.7.0, <2.7.9.5
Technical Details
The vulnerability in FasterXML jackson-databind (versions 2.x before 2.9.7, 2.8.11.3, 2.7.9.5, and 2.6.7.3) is a remote code execution flaw arising from insufficient blocking of dangerous gadget classes during polymorphic deserialization. Specifically, the slf4j-ext class was not blacklisted, allowing an attacker to craft a malicious JSON payload. When this payload is deserialized by a vulnerable jackson-databind instance, it triggers the instantiation of controlled classes and calls methods with attacker-supplied arguments. This can lead to arbitrary code execution on the server, often by leveraging commonly available libraries on the classpath.
What is the Impact of CVE-2018-14718?
Successful exploitation may allow attackers to execute arbitrary code on the affected system, potentially leading to full system compromise, data theft, or further network penetration.
What is the Exploitability of CVE-2018-14718?
Exploitation of this remote code execution vulnerability is of moderate to high complexity. It can be achieved remotely by sending a specially crafted JSON payload to an endpoint that performs polymorphic deserialization using a vulnerable jackson-databind library. Authentication requirements depend on whether the deserialization endpoint is protected. The primary prerequisites include the presence of known 'gadget' classes (e.g., from slf4j-ext) on the target application's classpath that can be leveraged for code execution, and an exposed endpoint that accepts serialized data from untrusted sources. Risk is increased in applications that extensively use JSON for data exchange without proper deserialization filters or whitelisting.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-14718?
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.6.7.3 → Upgrade to 2.6.7.3
- com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.7.9.5 → Upgrade to 2.7.9.5
- com.fasterxml.jackson.core:jackson-databind
- >2.8.0, <2.8.11.3 → Upgrade to 2.8.11.3
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.7 → Upgrade to 2.9.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/FasterXML/jackson-databind/issues/2097
- https://access.redhat.com/errata/RHSA-2019:3140
- https://access.redhat.com/errata/RHSA-2019:3149
- https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.debian.org/security/2019/dsa-4452
- https://access.redhat.com/errata/RHSA-2019:1822
- https://github.com/FasterXML/jackson-databind/issues/2097
- https://access.redhat.com/errata/RHSA-2019:3140
What are Similar Vulnerabilities to CVE-2018-14718?
Similar Vulnerabilities: CVE-2020-35728 , CVE-2020-25649 , CVE-2019-14540 , CVE-2017-15095 , CVE-2017-7525
