CVE-2018-5968
Remote Code Execution (RCE) vulnerability in jackson-databind (Maven)
What is CVE-2018-5968 About?
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 is vulnerable to unauthenticated remote code execution. This occurs due to an incomplete fix for prior deserialization flaws, which allows attackers to bypass blacklists using specific gadgets. Exploitation is relatively easy given knowledge of the bypasses.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- <2.7.9.5
- >2.9.0, <2.9.4
- >2.8.0, <2.8.11.1
Technical Details
This vulnerability in FasterXML jackson-databind arises from an incomplete fix for previous deserialization flaws (CVE-2017-7525 and CVE-2017-17485). The deserialization process, when handling untrusted data, fails to adequately restrict the types of objects that can be instantiated. Attackers can leverage "gadgets" (classes within the classpath that perform malicious actions upon deserialization of their properties) to achieve remote code execution. Specifically, this CVE highlights two new bypasses that circumnavigate existing blacklists, allowing attackers to instantiate forbidden classes via alternative serialization proxies or indirect instantiations. The attack vector involves sending crafted JSON payloads to an application that desesterializes them using the vulnerable jackson-databind library, leading to the execution of arbitrary code on the server.
What is the Impact of CVE-2018-5968?
Successful exploitation may allow attackers to execute arbitrary code on the server, potentially leading to full system compromise, data theft, or denial of service.
What is the Exploitability of CVE-2018-5968?
Exploitation is of moderate complexity, requiring knowledge of the specific bypass gadgets and the ability to craft malicious JSON payloads. No authentication is typically required, as many applications deserialize incoming requests from unauthenticated clients. Privilege requirements are generally those of the application server. This is a remote exploitation scenario. The main constraint is identifying an application endpoint that deserializes arbitrary JSON input using the vulnerable jackson-databind library. Risk factors include applications directly exposing deserialization endpoints to untrusted clients and a lack of strict type filtering during deserialization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-5968?
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- <2.7.9.5 → Upgrade to 2.7.9.5
- com.fasterxml.jackson.core:jackson-databind
- >2.8.0, <2.8.11.1 → Upgrade to 2.8.11.1
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.4 → Upgrade to 2.9.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://access.redhat.com/errata/RHSA-2018:0478
- https://github.com/FasterXML/jackson-databind/commit/03ea0bec6293d4330b5ad19d1d62aca0e3cb6381
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://github.com/FasterXML/jackson-databind/commit/454be8bb8c913be18298327a84ca45a280b61605
- https://access.redhat.com/errata/RHSA-2018:1525
- https://access.redhat.com/errata/RHSA-2018:0481
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us
- https://access.redhat.com/errata/RHSA-2019:2858
- https://access.redhat.com/errata/RHSA-2019:3149
- https://www.debian.org/security/2018/dsa-4114
What are Similar Vulnerabilities to CVE-2018-5968?
Similar Vulnerabilities: CVE-2017-7525 , CVE-2017-17485 , CVE-2019-12384 , CVE-2020-35490 , CVE-2022-42889
