CVE-2018-14720
XXE vulnerability in jackson-databind (Maven)
What is CVE-2018-14720 About?
This vulnerability in FasterXML jackson-databind allows for External XML Entity (XXE) attacks due to its failure to block unspecified JDK classes from polymorphic deserialization. An attacker can leverage this to read local files or trigger remote requests. Exploitation often requires the ability to send specially crafted XML data, and can be moderately easy.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.7
- >2.8.0, <2.8.11.3
- >2.7.0, <2.7.9.5
Technical Details
The vulnerability in FasterXML jackson-databind (2.x before 2.9.7) stems from an incomplete blacklisting mechanism during polymorphic deserialization. When polymorphic deserialization is used, Jackson processes type information embedded in the data (e.g., JSON) to instantiate specific Java classes. However, certain JDK classes were not adequately restricted, allowing an attacker to specify a dangerous class, such as those related to XML processing, in the incoming data. By including an External XML Entity (XXE) payload within the data when such a vulnerable class is deserialized, the attacker can force the application to retrieve and process external content (e.g., from a URI pointing to an attacker's server) or read local system files, thus enabling XXE attacks. This occurs because the deserialization context does not properly prohibit the instantiation and use of certain XML-related JDK classes that interpret external entities.
What is the Impact of CVE-2018-14720?
Successful exploitation may allow attackers to perform external XML entity (XXE) attacks, potentially leading to information disclosure (e.g., reading local files), remote request forgery, or denial of service.
What is the Exploitability of CVE-2018-14720?
Exploitation of this XXE vulnerability requires an attacker to be able to supply specially crafted XML (or often JSON that deserializes into XML processing classes) to an application using a vulnerable version of FasterXML jackson-databind. Remote access is typically all that's needed, and authentication requirements depend on the endpoint that accepts the malicious input; often, no authentication is strictly needed for the attack vector itself. No specific privileges are necessary beyond the ability to send the malicious data. The complexity is moderate, involving the crafting of the XML payload to trigger an XXE and the ability to identify an input endpoint that uses vulnerable deserialization. The presence of unblocked JDK classes in the deserialization process is the primary risk factor.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-14720?
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.7.9.5 → Upgrade to 2.7.9.5
- com.fasterxml.jackson.core:jackson-databind
- >2.8.0, <2.8.11.3 → Upgrade to 2.8.11.3
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.7 → Upgrade to 2.9.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/FasterXML/jackson-databind/issues/2097
- https://access.redhat.com/errata/RHSA-2019:3149
- https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.debian.org/security/2019/dsa-4452
- https://access.redhat.com/errata/RHSA-2019:1822
- https://access.redhat.com/errata/RHSA-2019:1140
- https://github.com/FasterXML/jackson-databind/issues/2097
- https://www.debian.org/security/2019/dsa-4452
- https://access.redhat.com/errata/RHSA-2019:1140
What are Similar Vulnerabilities to CVE-2018-14720?
Similar Vulnerabilities: CVE-2017-7525 , CVE-2017-7504 , CVE-2017-1000487 , CVE-2017-15095 , CVE-2018-7489
