CVE-2018-14721
Server-Side Request Forgery (SSRF) vulnerability in jackson-databind (Maven)
What is CVE-2018-14721 About?
This Server-Side Request Forgery (SSRF) vulnerability in FasterXML jackson-databind allows remote attackers to conduct SSRF attacks. It stems from a failure to block polymorphic deserialization for the axis2-jaxws class. Exploitation is typically straightforward once an attacker can control deserialized input.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.7
- >2.8.0, <2.8.11.3
- >2.7.0, <2.7.9.5
Technical Details
The vulnerability in FasterXML jackson-databind 2.x before 2.9.7 is due to insufficient blocking of the 'axis2-jaxws' class from polymorphic deserialization. Jackson-databind's polymorphic deserialization feature allows a JSON input to specify the actual type of an object to be deserialized, which can lead to deserialization of arbitrary types if not properly restricted. In this case, an attacker can craft a JSON payload that specifies the 'axis2-jaxws' class, which under certain contexts, can be leveraged to make the server perform requests to arbitrary internal or external resources, resulting in SSRF.
What is the Impact of CVE-2018-14721?
Successful exploitation may allow attackers to induce the server to make arbitrary requests, access internal network resources, bypass firewall restrictions, and potentially lead to information disclosure or further compromise.
What is the Exploitability of CVE-2018-14721?
Exploitation of this SSRF vulnerability generally requires remote access and the ability to provide specially crafted input that gets deserialized by the vulnerable jackson-databind component. The complexity is moderate, as it relies on knowledge of available classes for polymorphic deserialization. No authentication is explicitly mentioned as a prerequisite, suggesting it could be unauthenticated if the input point is publicly accessible. Privilege requirements are generally low, as the attack targets the deserialization process itself. The likelihood of exploitation increases if the application extensively uses untrusted data deserialization without proper type filtering.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-14721?
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.7.9.5 → Upgrade to 2.7.9.5
- com.fasterxml.jackson.core:jackson-databind
- >2.8.0, <2.8.11.3 → Upgrade to 2.8.11.3
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.7 → Upgrade to 2.9.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/FasterXML/jackson-databind/issues/2097
- https://access.redhat.com/errata/RHSA-2019:3149
- https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7
- https://nvd.nist.gov/vuln/detail/CVE-2018-14721
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.debian.org/security/2019/dsa-4452
- https://access.redhat.com/errata/RHSA-2019:1822
- https://access.redhat.com/errata/RHSA-2019:1140
- https://github.com/FasterXML/jackson-databind/issues/2097
- https://www.debian.org/security/2019/dsa-4452
What are Similar Vulnerabilities to CVE-2018-14721?
Similar Vulnerabilities: CVE-2017-7525 , CVE-2018-7489 , CVE-2020-35490 , CVE-2020-8840 , CVE-2021-2942
