CVE-2018-19362: Polymorphic Deserialization vulnerability in jackson-databind (Maven)

What is CVE-2018-19362 About?

FasterXML jackson-databind versions 2.x before 2.9.8 are vulnerable to polymorphic deserialization issues, specifically failing to block the `jboss-common-core` class. This can allow attackers to have unspecified impact by leveraging this deserialization flaw. Exploitation complexity is likely high, requiring specific gadget chains.

Affected Software

com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.8
- >2.0.0, <2.6.7.3
- >2.8.0, <2.8.11.3
- >2.7.0, <2.7.9.5

Technical Details

The vulnerability in FasterXML jackson-databind 2.x before 2.9.8 is a polymorphic deserialization issue. This occurs when an application deserializes untrusted input, and jackson-databind fails to properly block the jboss-common-core class during this process. When polymorphic typing is enabled and an attacker provides specially crafted JSON data, jackson-databind attempts to instantiate objects of the attacker-specified type. If a dangerous class like jboss-common-core (which often has exploitable gadgets in its classpath) is not blacklisted or otherwise restricted, the attacker can leverage its constructors or methods during deserialization to achieve various impacts, potentially including remote code execution, depending on available gadget chains.

What is the Impact of CVE-2018-19362?

Successful exploitation may allow attackers to achieve various impacts, including remote code execution, denial of service, or information disclosure, depending on the available classpath gadgets.

What is the Exploitability of CVE-2018-19362?

Exploitation of this polymorphic deserialization vulnerability is typically of high complexity. It requires an attacker to understand the application's classpath and existing 'gadget' classes that, when instantiated during deserialization, can perform malicious operations. There are no explicit authentication or privilege requirements; if an application deserializes untrusted input from a remote source, an unauthenticated remote attacker could potentially exploit this. The attack vector is remote if the application accepts JSON input from the network. Key prerequisites include the application using a vulnerable jackson-databind version, enabling polymorphic deserialization, and having vulnerable 'gadget' classes available on the classpath. Risk factors that increase exploitation likelihood are the presence of known deserialization gadgets in the application's dependencies and the application's deserialization of untrusted data without a strict allowlist of classes.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2018-19362?

A Fix by Resolved Security Exists!

Learn how our approach backports security patches directly to your dependencies.

About the Fix from Resolved Security

The patch blocks additional dangerous classes by adding them to the blacklist used during polymorphic deserialization, preventing their use as subtypes. This mitigates CVE-2018-19362, which is an insecure deserialization vulnerability that allows attackers to instantiate dangerous gadget classes via crafted inputs and trigger remote code execution.

Available Upgrade Options

com.fasterxml.jackson.core:jackson-databind
- >2.0.0, <2.6.7.3 → Upgrade to 2.6.7.3
com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.7.9.5 → Upgrade to 2.7.9.5
com.fasterxml.jackson.core:jackson-databind
- >2.8.0, <2.8.11.3 → Upgrade to 2.8.11.3
com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.8 → Upgrade to 2.9.8

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2018-19362?

Similar Vulnerabilities: CVE-2017-7525 , CVE-2017-15095 , CVE-2018-7489 , CVE-2019-12384 , CVE-2020-36179

CVE-2018-19362 Polymorphic Deserialization vulnerability in jackson-databind (Maven)