CVE-2018-19361
Bypass vulnerability in jackson-databind (Maven)
What is CVE-2018-19361 About?
This vulnerability in FasterXML jackson-databind allows for unspecified impact due to a failure to block the openjpa class from polymorphic deserialization. It can enable attackers to manipulate application logic or data by leveraging this deserialization weakness. Exploitation difficulty depends on the specific context and availability of the openjpa class.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.8
- >2.8.0, <2.8.11.3
- >2.7.0, <2.7.9.5
Technical Details
The FasterXML jackson-databind library, specifically versions 2.x before 2.9.8, fails to properly restrict the deserialization of certain classes when polymorphic type handling is enabled. In this particular case, the openjpa class is not blacklisted, meaning that if an attacker can control the input JSON being deserialized, they can specify openjpa as the type for a polymorphic object. This can lead to the instantiation of arbitrary classes or invocation of methods, potentially allowing for remote code execution, data manipulation, or denial of service, depending on what methods are available within the openjpa class and its dependencies on the classpath.
What is the Impact of CVE-2018-19361?
Successful exploitation may allow attackers to execute arbitrary code, manipulate application data, or cause a denial of service.
What is the Exploitability of CVE-2018-19361?
Exploitation relies on an application using Polymorphic Deserialization with FasterXML jackson-databind and not having the openjpa class explicitly blocked. The complexity of crafting the malicious payload for such deserialization vulnerabilities can be moderate to high, as it requires knowledge of the classpath and available gadgets. Authentication may or may not be required, depending on whether the deserialization endpoint is publicly accessible. No specific privileges are typically needed beyond the ability to submit a crafted JSON payload. This is generally a remote vulnerability, and the likelihood of exploitation increases if the application extensively uses untrusted input for deserialization and has a rich classpath with exploitable classes.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-19361?
About the Fix from Resolved Security
The patch adds several new class names to a blacklist in SubTypeValidator, preventing their use in polymorphic deserialization. This mitigates CVE-2018-19361 by blocking deserialization of additional 3rd-party classes known to enable remote code execution or other dangerous behavior through unsafe gadgets. This approach reduces the attack surface for exploitation via malicious payloads.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.7.9.5 → Upgrade to 2.7.9.5
- com.fasterxml.jackson.core:jackson-databind
- >2.8.0, <2.8.11.3 → Upgrade to 2.8.11.3
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.8 → Upgrade to 2.9.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://access.redhat.com/errata/RHSA-2019:1822
- https://github.com/FasterXML/jackson-databind/issues/2186
- https://access.redhat.com/errata/RHSA-2019:4037
- https://access.redhat.com/errata/RHSA-2019:3892
- https://issues.apache.org/jira/browse/TINKERPOP-2121
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2018-19361
- https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8
What are Similar Vulnerabilities to CVE-2018-19361?
Similar Vulnerabilities: CVE-2017-7525 , CVE-2017-15095 , CVE-2017-17485 , CVE-2018-7489 , CVE-2018-14719
